Problem/Motivation
Currently, User X can request a new password an infinite amount of times. This can be confirmed by the logs at admin/reports/dblog.
Update 8/15/13: The issue is still in the Drupal8 download as I have tested.
Proposed resolution
Create flood event and enforce it.
Create/modify tests in order so that this patch can pass. Since the flood protection takes action after a while the user will not be able to login after too many tries, and this the way it should work. The tests should let this pass.
Remaining tasks
Addressing concerns of @David_Rothstein in #73
I was going to say that looked like a good change, but then it occurred to me: Because the flood control is by IP address, we actually have no idea how many times the current user tried to reset their password recently (it could be zero).
Which actually means this: If many users at an organization all share the same IP address, then a malicious user at the same IP address (let's say a disgruntled employee situation) could trigger the flood control deliberately by continually requesting multiple passwords for their own account. Since there were no password reset requests for other accounts, those users will not have any login links in their e-mail to click on, nor will they be able to generate them. So they will be completely locked out of the site (assuming the attacker flooded the login form too), and the only way to get back in is to wait for someone with technical knowledge to go onto the server and fix things.
I have to ask, isn't the above scenario actually more dangerous than the simple "spam" scenario the patch is trying to protect against?
See one opinion on this tradeoff in #127 - tl;dr the benefit outweighs the risk (which is a bit of an edge-case).
User interface changes
TBD
API changes
TBD
Original report by Traverus
Currently, User X can request a new password an infinite amount of times. There should be a flood event created and enforced. I'll include the code that I used to implement my own solution to help get toward a patch for the problem.
As a for instance Bob doesn't like Alice, so he resets Alice's password 1230875109 times. This makes Alice upset because she has an equal amount of e-mails in her inbox.
Thanks!
function xyz_user_pass_form_validate($form, $form_state){
if(!flood_is_allowed('request new password', 1, 86400, $form_state['values']['name'])){
form_set_error('name', 'Reset password limit exceeded. Please contact technical support for further assistance.');
flood_register_event('request new password', 86400, $form_state['values']['name']);
} else {
flood_register_event('request new password', 86400, $form_state['values']['name']);
}
}
hook_form_user_pass_alter($form){
array_unshift($form['#validate'], 'xyz_user_pass_form_validate');
}