OK, so I thought about implementing a CAPTCHA for the reminder widget. It is a method of identifying email addresses - and it never gets trapped by the error handler anywhere - and ultimately something that's going to limit the points of intrusion can only be a good thing.
So I started looking at the code and something odd about action=reminder struck me: it still works for logged in members too. Now this is really weird because I'm not sure it isn't a bug, but I'm not sure it isn't intentional behaviour either.
Let me explain. If you hit up action=reminder, you get thrown into the reminder handler, which has a bunch of subactions. But if no subaction is given, it will actually load the 'please give us the username or email address' prompt, due to no specified subaction, the relevant template being loaded and then hitting up template_main from Reminder.template.php.
That part seems half like an oversight, but the more I play around with it, the more I'm not sure about it being one. It seems almost fortunate that it happens to fall into the main reminder template (as opposed to other places, i.e. almost everywhere, where it explicitly sets the subaction if no valid one was found or none was supplied), but I don't see any 'is_guest' checks.
Then it hit me. You can't change your own password if you don't know your current one - and there's no way in the profile area to change your own password directly if you have forgotten it, meaning if you did want to change anything, you'd have to go through the reminder section - and it would let you, though whether you should be able to do so is debatable.
So, there's the question: should you be able to call the reset-password stuff if you're logged in, and if not, how should you be able to reset it from inside the profile area, since you can't change your password if you can't remember your current one?
It's a tricky one, but something that occurs to me. (Of course, I could just ignore it, implement the CAPTCHA anyway, and just not bother if the user is a registered member at the point of filling in the form)
So I started looking at the code and something odd about action=reminder struck me: it still works for logged in members too. Now this is really weird because I'm not sure it isn't a bug, but I'm not sure it isn't intentional behaviour either.
Let me explain. If you hit up action=reminder, you get thrown into the reminder handler, which has a bunch of subactions. But if no subaction is given, it will actually load the 'please give us the username or email address' prompt, due to no specified subaction, the relevant template being loaded and then hitting up template_main from Reminder.template.php.
That part seems half like an oversight, but the more I play around with it, the more I'm not sure about it being one. It seems almost fortunate that it happens to fall into the main reminder template (as opposed to other places, i.e. almost everywhere, where it explicitly sets the subaction if no valid one was found or none was supplied), but I don't see any 'is_guest' checks.
Then it hit me. You can't change your own password if you don't know your current one - and there's no way in the profile area to change your own password directly if you have forgotten it, meaning if you did want to change anything, you'd have to go through the reminder section - and it would let you, though whether you should be able to do so is debatable.
So, there's the question: should you be able to call the reset-password stuff if you're logged in, and if not, how should you be able to reset it from inside the profile area, since you can't change your password if you can't remember your current one?
It's a tricky one, but something that occurs to me. (Of course, I could just ignore it, implement the CAPTCHA anyway, and just not bother if the user is a registered member at the point of filling in the form)
