Skip to content

Account Lock Bypass via Password Reset Flow#8757

Merged
nolanpro merged 3 commits intodevelopfrom
bugfix/FOUR-30040-A
Mar 24, 2026
Merged

Account Lock Bypass via Password Reset Flow#8757
nolanpro merged 3 commits intodevelopfrom
bugfix/FOUR-30040-A

Conversation

@marcoAntonioNina
Copy link
Copy Markdown
Contributor

@marcoAntonioNina marcoAntonioNina commented Mar 24, 2026
edited by atlassian bot
Loading

Issue & Reproduction Steps

During the process of resetting a password in the Forgot Password section, it was possible to access the user's session even if the user was locked out.

Solution

  • Now, if a user is locked out and accesses the Forgot Password section, they are no longer sent the password reset email.

How to Test

This should be tested with both active and locked users in the Forgot Password section.

Related Tickets & Packages

Code Review Checklist

  • I have pulled this code locally and tested it on my instance, along with any associated packages.
  • This code adheres to ProcessMaker Coding Guidelines.
  • This code includes a unit test or an E2E test that tests its functionality, or is covered by an existing test.
  • This solution fixes the bug reported in the original ticket.
  • This solution does not alter the expected output of a component in a way that would break existing Processes.
  • This solution does not implement any breaking changes that would invalidate documentation or cause existing Processes to fail.
  • This solution has been tested with enterprise packages that rely on its functionality and does not introduce bugs in those packages.
  • This code does not duplicate functionality that already exists in the framework or in ProcessMaker.
  • This ticket conforms to the PRD associated with this part of ProcessMaker.

ci:deploy

@marcoAntonioNina
Implement account status checks in password reset flow
67195cb 
- Added logic to prevent password reset for blocked users in ForgotPasswordController and ResetPasswordController.
- Updated response messages for blocked accounts in language files.
- Modified reset password view to retain email input value after validation errors.
@marcoAntonioNina
Add PasswordResetTest to validate password reset flow for blocked and…
7e6b7b5 
… active users
@marcoAntonioNina
Enhance password reset flow to include checks for inactive user
e41939c
@processmaker-sonarqube
Copy link
Copy Markdown

processmaker-sonarqube bot commented Mar 24, 2026

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

@Kookster310
Copy link
Copy Markdown
Contributor

Kookster310 commented Mar 24, 2026

QA server K8S was successfully deployed https://ci-e064d31301.engk8s.processmaker.net

@nolanpro nolanpro merged commit 7e4e133 into develop Mar 24, 2026
8 checks passed
@nolanpro nolanpro deleted the bugfix/FOUR-30040-A branch March 24, 2026 22:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@agustinbusso agustinbusso agustinbusso approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@marcoAntonioNina @Kookster310 @agustinbusso @nolanpro