Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Registration challenge e-mail won't work if only authenticated users can access the frontend #8166

Closed
Piedone opened this issue Mar 5, 2019 · 3 comments
Assignees

Comments

@Piedone
Copy link
Member

Piedone commented Mar 5, 2019

If you revoke the AccessFrontend permission from anonymous users then the whole registration challenge e-mail mechanism breaks:

  1. After submitting the registration form you'll get an Access Denied because AccountController/ChallengeEmailSent is inaccessible.
  2. Opening the link received in the challenge e-mail will again give you an Access Denied because the ChallengeEmail action is inaccessible too. Same would later happen with ChallengeEmailSuccess and ChallengeEmailFail too.

RegistrationPending has a similar issue. So all but the LogOff action needs [AlwaysAccessible] it seems.

The fix is trivial, I'm opening this only because I may be missing something obvious. So should we just add [AlwaysAccessible] everywhere mentioned?

@BenedekFarkas
Copy link
Member

@sebastienros if you agree that it's OK from a security perspective, then I'll fix it for 1.10.3.

@sebastienros
Copy link
Member

GTG

@BenedekFarkas
Copy link
Member

@sebastienros pre-release (tag and package) updated.

BenedekFarkas pushed a commit that referenced this issue Aug 19, 2019
The merge commit 61d9b46 from 1.10.x did not bring over
a method call in the PR #8177 (fix for #8166) making the bugfix inoperable
# for free to join this conversation on GitHub. Already have an account? # to comment
Projects
None yet
Development

No branches or pull requests

3 participants