Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-15976

Changing account settings without changing password resets user_passchg

    Details

      Description

      If a user changes their email address or username from their User Control Panel without changing their password at the same time, this line of code in ucp_profile.php] will cause their password last-change time to be reset to 0:

      'user_passchg' => ($auth->acl_get('u_chgpasswd') && $data['new_password']) ? time() : 0,

      If the "user must change password every X days" feature is enabled in the ACP, this causes a password reset to be forced for the user as soon as their username/email address is changed, due to this line in user.php:

      https://github.com/phpbb/phpbb/blob/05f4046b2b1661b1a1064b33c2ee1bbf13a6644d/phpBB/phpbb/user.php#L407

      It seems like this is a mistake, and if the user isn't updating their password, no change should be made to user_passchg? In that case the ": 0" on this line should become ": $user->data['user_passchg']". Or the assignment to $sql_ary['user_passchg'] could be moved further down next to the line that calls $user->reset_login_keys();".

      The ACP equivalent feature already achieves this by avoiding updating user_passchg entirely unless the password is being edited.

        Attachments

          Activity

            People

            • Assignee:
              Senky Senky
              Reporter:
              thenickdude thenickdude
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: