[ http://jira.codehaus.org/browse/CONTINUUM-1085?page=comments#action_83386 ] Wendy Smoak commented on CONTINUUM-1085: ----------------------------------------
If the password field were required (see CONTINUUM-1089) then #3 and #5 above wouldn't be possible. Ideally if you try to log in with a not-yet-validated newly registered account, you'd be presented with a message explaining that you need to look for the validation email and click the link (or contact the administrator). > New user validation is not enforced > ----------------------------------- > > Key: CONTINUUM-1085 > URL: http://jira.codehaus.org/browse/CONTINUUM-1085 > Project: Continuum > Issue Type: Bug > Components: Web - Security > Reporter: Wendy Smoak > > When registering for a new account, the requirement to click the link in the > validation email is not enforced. > Steps to reproduce: > 1. Register for an account > 2. Ignore the confirmation email > 3. Attempt to log in with the new userid. Leave the password blank > 4. You are prompted to 'Change Password' > 5. Leave the 'existing password' blank, and enter a new password (twice). > 6. You are logged in and on the Edit Details screen > 1a. The newly created account is not "Locked" (even though the registration > confirmation page says it will be.) CONTINUUM-1084 > 1b. Even if you log in as admin and lock the account, steps 3-5 still work. > 4a. If you navigate away from the change password page without completing it, > you appear to be logged in and can see everything from project groups down to > build results. (Possibly related to CONTINUUM-1082 where a guest user with > no roles can also see everything.) -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
