-
Benni Mack authored
This feature adds a link on TYPO3 Backend's login form to reset a backend users' password if the user has forgotten the password. Key changes: * Only enabled for backend users with an email address and a password set * Enabled by default but can be disabled completely * Optionally only works for non-admins via TYPO3_CONF_VARS * Only send out emails to users within the system, but no information disclosure * If multiple valid users have the same email address, a different email is sent out * TCA be_users.email is not set to eval=email (due to backwards-compatibility) * Password resets are only valid for 2 hours (non-configurable) * Not extensible for third-party authentication methods yet * Rate limiting is enabled per email address for 3 attempts per 30mins (non-configurable) * When logging in, all previous tokens are removed * When requesting multiple resets, only the last email is valid * A CLI command "backend:resetpassword $backendUrl $emailAddress" sends out an email as well from admins * Admins can trigger a password reset for users in the BE User module Resolves: #89513 Releases: master Change-Id: I9a146d5a9db176d24f2223c5eafb0fb42861e93f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63385 Tested-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Tested-by:
TYPO3com <noreply@typo3.com> Tested-by:
Georg Ringer <georg.ringer@gmail.com> Reviewed-by:
24c59a3f
