#11409: Too many password reset requests even when disabled in settings #11434
Conversation
adrian-martinez-interactiv4
changed the title
dmanners
added
Release Line: 2.3
2.2.x
Reproduced on 2.1.x
| ); | ||
| $originalScope = $this->scope->getCurrentScope(); | ||
| $this->scope->setCurrentScope(\Magento\Framework\App\Area::AREA_FRONTEND); |
There was a problem hiding this comment.
Does this work with multiple stores each with a different value?
There was a problem hiding this comment.
This has many considerations, I'll explain them in a separate comment in the main thread.
|
My thoughts here would be why should the admin be limited when resetting accounts to the customer restrictions. Imagine the case that a user has a problem with a reset and then calls the shop owner, the shop owner as a logged in admin, in my opinion, should be able to reset the password regardless of if the frontend reset timer limit has been reached. I would be interested to hear other thoughts here though. |
|
Hi @dmanners , in first place, I agree with you in last comment, shop owner logged as admin should be always able to reset customer password email, I could simply skip security checks for admin scope when password request is for a customer. That would solve part of the problem, or at least, the problem mentioned in issue #11409. If we agree in the previous paragraph, and I do it this way, security checks will only be applied for admin user password requests from admin area, and for customer password requests from frontend area. Then you ask me: Yes, but with some considerations. In It will take proper settings from current store; if we don't check this fields from admin scope for customer password reset requests, since this values are not used anymore for this case and they are retrieved properly for the rest of cases, it should work for multiples stores with different values. What I can see digging here is another design issue, maybe for other PR, that may start from applied changes from this PR. This security checks share a table, password_reset_request_event, for admin users and customers password reset requests: Where request_type == 0 for admin users, and request_type == 1 for customers. The problem here is that this structure is enough for admin users, and also for customers, but only if customer account sharing option is global. Let's say I have 2 different websites and I have a separate account for each of them with the same email. Requesting password in the first website will affect requesting password in the second one, even if they are independent customers that may have different passwords, due that only account reference is the email. Let me know what you think about this all. |
|
HI @adrian-martinez-interactiv4 I agree on the statement Thanks |
adrian-martinez-interactiv4
force-pushed
the
FR#11409-TOO-MANY-PASSWORD-RESET-REQUESTS
branch
from
cddfb0b
to
4651acb
Compare
|
@dmanners Done, could you check it please? Thank you |
adrian-martinez-interactiv4
force-pushed
the
FR#11409-TOO-MANY-PASSWORD-RESET-REQUESTS
branch
from
4651acb
to
94d58cb
Compare
| @@ -26,10 +26,17 @@ class Config implements ConfigInterface | |||
|
|
|||
| /** | |||
| * Configuration path to fronted area | |||
| * @deprecated | |||
| * @see \Magento\Security\Model\Config::XML_PATH_FRONTEND_AREA | |||
| */ | |||
| const XML_PATH_FRONTED_AREA = 'customer/password/'; | |||
There was a problem hiding this comment.
I would also suggest using self::XML_PATH_FRONTEND_AREA as the value then we will not need to maintain two versions of the constant.
There was a problem hiding this comment.
@dmanners Done
…PATH_FRONTEND_AREA
adrian-martinez-interactiv4
force-pushed
the
FR#11409-TOO-MANY-PASSWORD-RESET-REQUESTS
branch
from
94d58cb
to
86fe123
Compare
|
@dmanners Test passed, moving changes to backports |
…abled in settings #11434
[EngCom] Public Pull Requests - develop - MAGETWO-83154: [2.3-develop] Order grid - Sort by Purchase Date Desc by default #11931 - MAGETWO-83101: [Backport 2.3-develop] #8236 FIX CMS blocks #11805 - MAGETWO-83092: Remove unneeded, also mistyped, saveHandler from CatalogSearch indexer declaration #11626 - MAGETWO-83091: Remove "Undefined fields" from under lib folder #11662 - MAGETWO-83083: 10195: Order relation child is not set during edit operation #11909 - MAGETWO-82998: [2.3-develop] X-Magento-Tags header containing whitespaces causes exception #11849 - MAGETWO-82633: #11409: Too many password reset requests even when disabled in settings #11434
adrian-martinez-interactiv4
deleted the
FR#11409-TOO-MANY-PASSWORD-RESET-REQUESTS
branch
|
related internal ticket MAGETWO-71194 |
When attempting to reset a customer's password via the admin, the system tells me 'Too many password reset requests' even when I have disabled the 'max wait time between password resets' in the store configuration settings.
Description
\Magento\Security\Model\Config::getXmlPathPrefix() method fails to use the customer configuration
customer/password/, using theadmin/security/settings instead, when reset password is triggered from admin, due to current scope:Emulated frontend area in scope in plugin method \Magento\Security\Model\Plugin\AccountManagement::beforeInitiatePasswordReset, also fixed di.xml parameter injection that caused customer password reset requests also counting as admin user requests when emails coincide for admin user and customer.
Fixed Issues (if relevant)
Manual testing scenarios
Contribution checklist