Lost password functionality enables users to circumvent activation #37

Vinai opened this Issue Jan 29, 2014 · 12 comments


None yet

2 participants

Vinai commented Jan 29, 2014

We found some users on my client's wholesale site able to circumvent the activation on their account. Running latest version of customer activation extension. we are running magento

Steps to reproduce:

  1. Enable extension etc.
  2. Regisetr a customer account.
  3. Go to log in screen and choose "lost poassword"
  4. user gets emailed a password change link
  5. user follows password change link and is able to chaneg password
  6. magento automatically logs user in after the password change.
Vinai commented Jan 29, 2014

Quick status update:
Inspecting the code of the Mage_Customer_AccountController::resetPasswordPostAction() it apears the method has changes in Magento 1.7.
So the issue only exists on Magento 1.6 and older.

Vinai commented Jan 29, 2014

Please try the fix in the latest version and let me know if it works for you.
I've only got newer Magento instances to test the code on, and there the fix isn't needed.

many thanks. I will check this week. Thanks for such fast feedback on the issue :)

This doesn't work I'm afraid - most likely due to the fact that the resetPasswordPostAction function does a redirect, so your observer never gets called.

Vinai commented Jan 31, 2014

The _redirect() method call just seta a few headers on the response object it has no influence on the postDispatch method being called, where the post dispatch event is triggered.

The redirect headers are later sent by the front controller after the action controller has completed.
I guess the I might have gotten the event code wrong or something.

aah ok. thanks for the clarification. I will look into it further. You said btw the resetPasswordPostAction function had changed. I compared the magento and version and I couldn't see any differences that would change this behaviour - I was wondering what the core code change is that is different on 1.7 if you knew.

@Vinai Vinai added a commit that referenced this issue Jan 31, 2014
@Vinai Change action name part of postdispatch event name to lower case. Hop…
…efully takes care of #37 now for real

I couldn't see in this function even on 1.6 where the customer session is being set. so I assume it was in one of the class functions being called, unless I have just missed something obvious.

Vinai commented Jan 31, 2014

The problem was the following:
The resetpasswordpost action is specified in lower case in the template.
The method name in the PHP class is in CamelCase.
This works only because PHP method names are case insensitive.
The XML node names however are case sensitive.
So the action name part of the event code in the XML has to match what is used in the template file.
Please try again, the last commit should do the job now finally :)

yep. that fixes it thanks. Would still be interested in where the 1.6 -> 1.7 behaviour has changed in the code btw if you have an answer to that - just because I didn't spot it yet. Cheers.

Vinai commented Feb 1, 2014

It seems I was mistaken. Looking for the code that logged the customer in after the reset I had slipped into the editPostAction method.

That said, on a standard Magento installation, customers are not automatically logged in after they reset their password.
I just installed a vanilla to try to reproduct the issue.
No login after password reset.
You got to have some customization in place that caused that behavior in the first place.
I'll leave the event observer in place never the less, but I fleshed out the method a little (see the commit above).

@Vinai Vinai closed this Feb 1, 2014

Thanks for the additional info. I will attempt to work out what is causing this.

Vinai commented Feb 1, 2014

Will apreciate any update on the issue here! Its always good to know why something is happening!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment