Bypassing registration approval using forgot password feature #2591

pkotnis · 2022-11-28T09:40:04Z

Issue Summary

For Lemmy instances that currently require manual registration approval (such as lemmy.ml), I believe it is possible to bypass the approval using forgot password feature

Steps to Reproduce

Create an account on a Lemmy instance that requires registration approval (such as lemmy.ml)
Before your account gets approved, go to Lemmy's login page, provide your email/username and click "forgot password"
Once you receive the "Password Reset Request" email, click the link inside of it
Change your password
Voilà, you're now logged in, even tho your account is still pending approval.

Nutomic · 2022-11-30T09:54:46Z

Right there is a check missing. Thanks for reporting!

dessalines · 2022-12-01T21:34:55Z

Thanks for this!

Its these types of things that are so hard to think about beforehand.

pkotnis added the bug Something isn't working label Nov 28, 2022

Nutomic added a commit that referenced this issue Nov 30, 2022

Check user accepted before sending jwt in password reset (fixes #2591)

b05378d

Nutomic added a commit that referenced this issue Nov 30, 2022

Check user accepted before sending jwt in password reset (fixes #2591)

56e5390

dessalines closed this as completed in 70e3feb Dec 1, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bypassing registration approval using forgot password feature #2591

Bypassing registration approval using forgot password feature #2591

pkotnis commented Nov 28, 2022

Nutomic commented Nov 30, 2022

dessalines commented Dec 1, 2022

Bypassing registration approval using forgot password feature #2591

Bypassing registration approval using forgot password feature #2591

Comments

pkotnis commented Nov 28, 2022

Issue Summary

Steps to Reproduce

Nutomic commented Nov 30, 2022

dessalines commented Dec 1, 2022