2012/12/3 Henne Holly <[email protected]>: > Hi, > > I defined a log-file in self-service-password config, but there nothing > is logged. I will check apache2 log files.
The log file configured in config.inc.php is dedicated to password reset. It allows to log them in a separate file because this log contains the token that allows to reset the password for a user. The default logs are in Apache error log. > > However, because mail-token works, I completely disabled ?action=change. > For that purpose introduced a new line $use_change = false; in the > config-file and adjusted one line in index.php, where the allowed > actions are stored in an array-variable. By default actionarray is now > not change but empty. > > This does the trick. However, one could still do a brute-force-attack to > guess usernames and emails. But that would be recognized by the user. > > Should I post a diff-patch for the files? I'm not familiar with php, > just copied and pasted ;) You can send a patch yes. I never have the need to disable this feature, but why not. _______________________________________________ ltb-users mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-users
