Hi all,
Regarding XX-6764 [1], I have an objection to this feature as described:
"On the login screen there shall be a link that allows recovering the
password. Upon activation sipXconfig generates a new password for the User ID
entered, stores that new password in the system, and sends an email to the
email address registered for the user that includes the new password."
This would allow anyone with IP access to invalidate the current PIN of any
known user. That could be very disruptive.
The "Forgot PIN" link should instead email the User a "secret" link, which can
then be used to set a new PIN. That would make it considerably more difficult
for a malicious person to erase a User's PIN.
I also think this functionality should not be available for any User with
Administration permission, and/or no defined email address.
Thoughts?
-Paul
[email protected]
[1] http://track.sipfoundry.org/browse/XX-6764 Provide password recovery
mechanism
_______________________________________________
sipx-dev mailing list [email protected]
List Archive: http://list.sipfoundry.org/archive/sipx-dev
Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev
sipXecs IP PBX -- http://www.sipfoundry.org/
