From 35024c18fc86d51e0e414068c3494510d2ad14e3 Mon Sep 17 00:00:00 2001 From: "Chinmay D. Pai" Date: Sat, 7 Dec 2019 19:00:54 +0530 Subject: [PATCH] fix(security): invalidate reset_password_key on password reset currently there is no way to invalidate reset_password_key on updating password through the user settings. so whenever the user sets a new password we'll invalidate the reset_password_key, so that existing links to reset user passwords cannot be used. Signed-off-by: Chinmay D. Pai --- frappe/core/doctype/user/user.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/frappe/core/doctype/user/user.py b/frappe/core/doctype/user/user.py index 7de2bb20e5..35495954b4 100644 --- a/frappe/core/doctype/user/user.py +++ b/frappe/core/doctype/user/user.py @@ -97,7 +97,9 @@ class User(Document): self.share_with_self() clear_notifications(user=self.name) frappe.clear_cache(user=self.name) - self.send_password_notification(self.__new_password) + if self.__new_password: + self.send_password_notification(self.__new_password) + self.reset_password_key = '' create_contact(self, ignore_mandatory=True) if self.name not in ('Administrator', 'Guest') and not self.user_image: frappe.enqueue('frappe.core.doctype.user.user.update_gravatar', name=self.name) @@ -1071,4 +1073,4 @@ def generate_keys(user): user_details.save() return {"api_secret": api_secret} - frappe.throw(frappe._("Not Permitted"), frappe.PermissionError) \ No newline at end of file + frappe.throw(frappe._("Not Permitted"), frappe.PermissionError)