Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-98768

Login portlet allows configuration of unused password change template


    • 3


      When the portal is configured to send password reset links instead of passwords insecurely in the email body, the "Password Changed Notification" portlet preference as configured via the portlet instance will never be used. It should be removed from this configuration scope, or maybe just shown as read only.

      Steps to reproduce:

      1. Via "Server Administration" in control panel configure a SMTP email server connection
      2. Via "Instance Settings" in control panel configure...
        1. "Allow users to request forgotten passwords?" = true
        2. "Allow users to request password reset links?" false.
      3. Place the "Sign in" portlet on a page and click to configure it
      4. On the "Password Changed Notification" tab add a recognizable string to the email subject or body.
      5. Log out
      6. Using the login portlet, click "Forgot Password" and complete the challenges
      7. Wait for the email to arrive and complete the password reset process to set a new password

       Expected result: The email that is received contains the recognizable string

       Actual result: The email received is derived from the template configured/defaulted in "Instance Settings" > "Email" instead

       Please note that the email template configured in step 4 is used if you reverse the configuration in step 2, so it is not completely redundant.





            marta.medio Marta Medio (Inactive)
            stian.sigvartsen Stian Sigvartsen
            Kiyoshi Lee Kiyoshi Lee
            0 Vote for this issue
            2 Start watching this issue


              3 years, 6 weeks, 4 days ago


                Version Package