https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30962
Jonathan Druart <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart+koha@gmail. | |com Status|Signed Off |Failed QA --- Comment #11 from Jonathan Druart <[email protected]> --- 1. Missing tests (you must provide tons of tests to cover the different situations) 2. Route's name should not be a verb (/password/validation maybe?) 3. Routes that returns empty should return 204 4. It's always returning "Invalid password" even for other failures (like too many attempts) 5. It allows you to check for pwd validation for a user you don't know their userid (you can force brute only by knowing the patron's id). I don't think it's a security concern as userid could be guessed anyway (?) 6. following 5, you can lock any accounts if FailedLoginAttempts is set, no need to know the userid list. How bad is that? -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
