Skip to content

Add "this wasn't me" functionality to password reset process #22705

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
Oct 25, 2024
Merged

Add "this wasn't me" functionality to password reset process #22705

merged 12 commits into from
Oct 25, 2024

Conversation

mneudert
Copy link
Member

@mneudert mneudert commented Oct 22, 2024
edited by sgiehl
Loading

Description:

Extends the password reset process with a "this wasn't me" functionality.

A new link was added to the (reworded) password reset email, allowing a user to invalidate the reset token without changing the user's password.

To support replacing the "reset password process cancelled" view, the event Template.loginCancelResetPasswordContent can be listened to. Writing any content to this event's variable will display that instead of the default content.

To prepare future auditing capabilities, the reset process has received the events for the three potential steps:

  • Login.resetPassword.initiated
  • Login.resetPassword.cancelled
  • Login.resetPassword.confirmed

fixes #14543

Refs DEV-14582

Review

@mneudert mneudert added c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Needs Review PRs that need a code review labels Oct 22, 2024
@mneudert mneudert added this to the 5.2.0 milestone Oct 22, 2024
@mneudert mneudert requested a review from a team October 22, 2024 19:23
caddoo
caddoo previously approved these changes Oct 23, 2024
View reviewed changes
sgiehl
sgiehl requested changes Oct 24, 2024
View reviewed changes
Copy link
Member

@sgiehl sgiehl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added a couple of suggestions for possible improvements. Functional testing worked fine, though.

plugins/Login/Controller.php
*
* @param string $cancelResetPasswordContent The content to render.
*/
Piwik::postEvent('Template.loginCancelResetPasswordContent', [&$cancelResetPasswordContent]);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The event could also be posted directly in the template within a {{ set }} or similar. Might be a bit less complex, as you can directly see in the template where the data is coming from. On the other side is the comment here above useful and we couldn't add it similarly in the template. So guess I would keep it that way.

@mneudert mneudert requested a review from sgiehl October 24, 2024 15:43
sgiehl
sgiehl reviewed Oct 24, 2024
View reviewed changes
Copy link
Member

@sgiehl sgiehl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One minor thing left. Everything else now looks good to me.

@mneudert @sgiehl
Update plugins/Login/lang/en.json
48eb7da 
Co-authored-by: Stefan Giehl <stefan@matomo.org>
@sgiehl sgiehl merged commit 389ed5d into 5.x-dev Oct 25, 2024
26 checks passed
@sgiehl sgiehl deleted the dev-14582 branch October 25, 2024 07:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sgiehl sgiehl sgiehl approved these changes

@caddoo caddoo caddoo left review comments

Assignees
No one assigned
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Needs Review PRs that need a code review
Milestone
5.2.0
Development

Successfully merging this pull request may close these issues.

Add 'This wasn't me' to reset password E-Mail
3 participants
@mneudert @caddoo @sgiehl