Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-15976

Changing account settings without changing password resets user_passchg

    XMLWordPrintable

    Details

      Description

      If a user changes their email address or username from their User Control Panel without changing their password at the same time, this line of code in ucp_profile.php] will cause their password last-change time to be reset to 0:

      'user_passchg' => ($auth->acl_get('u_chgpasswd') && $data['new_password']) ? time() : 0,

      If the "user must change password every X days" feature is enabled in the ACP, this causes a password reset to be forced for the user as soon as their username/email address is changed, due to this line in user.php:

      https://github.com/phpbb/phpbb/blob/05f4046b2b1661b1a1064b33c2ee1bbf13a6644d/phpBB/phpbb/user.php#L407

      It seems like this is a mistake, and if the user isn't updating their password, no change should be made to user_passchg? In that case the ": 0" on this line should become ": $user->data['user_passchg']". Or the assignment to $sql_ary['user_passchg'] could be moved further down next to the line that calls $user->reset_login_keys();".

      The ACP equivalent feature already achieves this by avoiding updating user_passchg entirely unless the password is being edited.

        Attachments

          Activity

            People

            Assignee:
            Senky Senky
            Reporter:
            thenickdude thenickdude [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: