PUBLIC - Liferay Portal Community Edition

Password reset link not valid when reset ticket max age is set to eternal

Details

  • Branch Version/s:
    6.1.x
  • Backported to Branch:
    Committed
  • Similar Issues:
    Show 4 results 

Description

In the password policies, you can set the reset ticket max age to eternal. This implies that the ticket send to the user for a password reset is always valid. However once a reset is requested, then the reset link send by mail, will not forward the user to the password reset screen and the ticket is removed from the database.

In the file /portal-web/html/potlet/password_policies_admin/edit_password_policy.jsp, the reset max age is set to 0.

This is calculated with in UserLocalServiceImpl class in the sendPassword method:
Date expirationDate = new Date(System.currentTimeMillis() + (passwordPolicy.getResetTicketMaxAge() * 1000)); (line 3222)

The expiration date is set to the current date. The link is send to the user. After clicking it, the link is processed in UpdatePasswordAction class, where the ticket is checked for expiration (line 121) where it will always fail because it is before the current datetime.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Michael Saechang added a comment -

Committed on:
Portal 6.1.x CE GIT ID: a56304b35a9f07795fc259ee0a59294a98ab0ef9.
Portal 6.2.x GIT ID: 17d712db3713217ee9fd7d98b76b63053ae7aca0.

Show
Michael Saechang added a comment - Committed on: Portal 6.1.x CE GIT ID: a56304b35a9f07795fc259ee0a59294a98ab0ef9. Portal 6.2.x GIT ID: 17d712db3713217ee9fd7d98b76b63053ae7aca0.
Hide
Permalink
Sharry Shi added a comment -

PASSED Manual Testing using the following steps:

  1. Login as admin.
  2. Go to Control Panel.
  3. Click at Password Policies under Portal.
  4. Edit the Default Password Policy, change the Reset Ticket Max Age as Eternal.
  5. Setup the Mail in Server Administration.
  6. Create a new user with an registed gmail Email Address.
  7. Sign out.
  8. Click At Forgot Password.
  9. Fill the new user's gmail address in the Email Address field,and fill the same number in Text Verification as picture.
  10. Change your local time to the future.
  11. Login your gmail, check the email from Joe Bloggs.
  12. Click the link in your email.

Reproduced on:
Tomcat 7.0 + MySQL 5. Portal 6.2.x GIT ID: 9d36ccf60637ddb1db9cdb449dbc94c18a241f83.

The Password reset link can not navigate to password reset page.

Fixed on:
Tomcat 7.0 + MySQL 5. Portal 6.1.x.CE GIT ID: 7d73bea60eeab31ac1cf4a3270dc0f916ce1fd44.
Tomcat 7.0 + MySQL 5. Portal 6.1.x.EE GIT ID: 94f8f37a1fe7df90fe4603c7e072ffe80f96c05d.
Tomcat 7.0 + MySQL 5. Portal 6.2.x GIT ID: abae10ad2e421868e4e238b9693a783b414091ce.

The Password reset link navigates user to the password reset page.

Show
Sharry Shi added a comment - PASSED Manual Testing using the following steps: Login as admin. Go to Control Panel. Click at Password Policies under Portal. Edit the Default Password Policy, change the Reset Ticket Max Age as Eternal. Setup the Mail in Server Administration. Create a new user with an registed gmail Email Address. Sign out. Click At Forgot Password. Fill the new user's gmail address in the Email Address field,and fill the same number in Text Verification as picture. Change your local time to the future. Login your gmail, check the email from Joe Bloggs. Click the link in your email. Reproduced on: Tomcat 7.0 + MySQL 5. Portal 6.2.x GIT ID: 9d36ccf60637ddb1db9cdb449dbc94c18a241f83. The Password reset link can not navigate to password reset page. Fixed on: Tomcat 7.0 + MySQL 5. Portal 6.1.x.CE GIT ID: 7d73bea60eeab31ac1cf4a3270dc0f916ce1fd44. Tomcat 7.0 + MySQL 5. Portal 6.1.x.EE GIT ID: 94f8f37a1fe7df90fe4603c7e072ffe80f96c05d. Tomcat 7.0 + MySQL 5. Portal 6.2.x GIT ID: abae10ad2e421868e4e238b9693a783b414091ce. The Password reset link navigates user to the password reset page.

People

Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved:
    Days since last comment:
    51 weeks, 1 day ago