[#30750] - [3.10] A well-known URL for changing passwords
- Closed
- 17 Oct 2020
- Medium
- Build: staging
- # 30750
- Diff
- zero-24:wellknown_pw
User tests: Successful: Unsuccessful:
Summary of Changes
This here implements a well-known URL for changing passwords. https://web.dev/change-password-url/ using a htaccess rule.
Testing Instructions
- apply the htaccess rule
- try to access example.org/.well-known/change-password/
Actual result BEFORE applying this Pull Request
404
Expected result AFTER applying this Pull Request
htaccess redirect to index.php?option=com_users&view=reset
Documentation Changes Required
None
web.config status
That here should work for web.config
<rule name="A well-known URL for changing passwords">
<match url="(.*)" ignoreCase="false" />
<conditions logicalGrouping="MatchAll">
<add input="{URL}" pattern="\.well-known/change-password$" ignoreCase="true" negate="true" />
</conditions>
<action type="Redirect" url="index.php?option=com_users&view=reset" statusCode="302" />
</rule>
But for some reason this validator here: https://elmah.io/tools/configvalidator/ seems to not like the new URL.
Any idea how to fix or test it? Else I would suggest to add a note to the postinstall that for web.config there is no known workaround yet.
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | SQL Administration com_admin Postgresql MS SQL Language & Strings |
Any idea how to fix or test it?
Escape ampersand.
I expect that this only works for root installations and not in subfolders? if so we should mention this.
The redirect works on both.
Any idea how to fix or test it?
Escape ampersand.
The validator is not happy with the = or i'm missing somsthing?
No, it's the ampersand. You're editing a XML file.
Hmm that did the trick aktually.. i could swear that i have tried that before too..
| Labels |
Added:
?
?
|
||
Pushed the fix :-)
I expect that this only works for root installations and not in subfolders? if so we should mention this.
The redirect works on both.
The redirect works but this feature will not be detected because .well-known has to be in the root directory.
Is there anything we can do about that?
Or do you have a suggestion for an text to be added?
I am not in favour of this. It should be up to the site owner if users are able to reset their passwords. There are lots of business cases where it is not allowed.
Ok fine for me than we can set it up commented. Do you have a suggestion for the text?
also see JSST report
it's to the side owner if s/he adds the htaccess redirect or not. So basically it's a good thing so people use password mangers and have a easy way to finde the change form.
and it doesn't change anything to the functionality because you always can access change or reset functions if not disabled in a proper way.
it's to the side owner if s/he adds the htaccess redirect or not
On updates yes but on new installs it would be the default, and unexpected, behaviour that really should not be in a patch release
Is there a reason to put this in .htaccess anyhow and not a plugin which manipulates the Router? Would be a good example of a router plugin and make it more easy to toggle on/off
On updates yes but on new installs it would be the default, and unexpected, behaviour that really should not be in a patch release
I don't have your opinion on this because it basically does nothing new, except giving a hint for software that is/should already known to Joomla users. The SVG htaccess addition is much more problematic then this redirect.
Is there a reason to put this in .htaccess anyhow and not a plugin which manipulates the Router? Would be a good example of a router plugin and make it more easy to toggle on/off
Hard to say, basically you can do it with com_redirect and don't need any plugin or htaccess redirect but tbh post site creates didn't know that this .well-known path exists (not even I had known this) and I use many well known pathes ;-)
Is there a reason to put this in .htaccess anyhow and not a plugin which manipulates the Router? Would be a good example of a router plugin and make it more easy to toggle on/off
Hmm i thourgth about a plugin or com_redirect for redirect the problem is thats disabled by default. I'm fine with an dedicated plugin but is't that an overkill for such a minimal redirect?
On updates yes but on new installs it would be the default, and unexpected, behaviour that really should not be in a patch release
I don't have your opinion on this because it basically does nothing new, except giving a hint for software that is/should already known to Joomla users. The SVG htaccess addition is much more problematic then this redirect.
Agree it is in the end just an alias for com_users&view=reset. I'm also fine to move that into 3.10 when there are concerns that it would be an issue in an Patch release.
.htaccess is the more straight forward way, adding a plugin is an overkill (as example good of course), a default com_redirect rule doesn't work for people who doesn't use it (like me^^).
We can uncomment it per default but I don't see a reason to hide it because this url is "well-known" to people who think it's an attack vector...
Can you rebase it on 3.10 and @gostn can test it with 3.10 (or now because it's version independent)
| Title |
|
||||||
| Labels |
Added:
?
|
||
Ah have to change the sql files too .. give me a few minutes ..
| Labels |
Removed:
?
|
||
Files has been moved to its dedicated 3.10.0 file so this is ready for testing.
and semantic versioning rules say no new features in a bug fix release
gostn
- | Status | Pending | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-10-17 09:31:21 |
| Closed_By | ⇒ | zero-24 |
I expect that this only works for root installations and not in subfolders? if so we should mention this.