hadzo Posted November 6, 2013 Report Posted November 6, 2013 visit URL /client/login/reset/without entering username/email click RESET PASSWORD button, you get green message saying "A confirmation email has been sent to the address on record." you should get a message saying to enter username/email, this is confusing. Using LogicBoxes module.When you go to URL /plugin/order/main/preconfig/domainclick the TLD checkbox in my case .com, then click TRANSFER button you get "Congratulations, that domain is available." but it is a blank domain since user did not enter a domain. See attached picture.
Michael Posted November 6, 2013 Report Posted November 6, 2013 visit URL /client/login/reset/ without entering username/email click RESET PASSWORD button, you get green message saying "A confirmation email has been sent to the address on record." you should get a message saying to enter username/email, this is confusing. Using LogicBoxes module. When you go to URL /plugin/order/main/preconfig/domain click the TLD checkbox in my case .com, then click TRANSFER button you get "Congratulations, that domain is available." but it is a blank domain since user did not enter a domain. See attached picture. Transfer you will always get it available, because you can transfer any domain, you just need the EPP code. Edit: Oh you just clicked on enter.
Paul Posted November 6, 2013 Report Posted November 6, 2013 visit URL /client/login/reset/ without entering username/email click RESET PASSWORD button, you get green message saying "A confirmation email has been sent to the address on record." you should get a message saying to enter username/email, this is confusing. This always shows that message, so as not to leak your usernames to a potential attacker. We may add an option to display an error if there is no match, but for security reasons we recommend leaving it this way. Daniel B, Michael and Ken 3
mrrsm Posted November 6, 2013 Report Posted November 6, 2013 While I agree it should show the success message rather then that user doesn't exist, if nothing is entered it should throw an error asking you to enter something in those fields.
Tyson Posted November 6, 2013 Report Posted November 6, 2013 visit URL /client/login/reset/ without entering username/email click RESET PASSWORD button, you get green message saying "A confirmation email has been sent to the address on record." you should get a message saying to enter username/email, this is confusing. As Paul mentioned, it is a security risk to reveal information about users that do or do not exist based on such error/success messages. That said, there is a config setting in your blesta config file called "Blesta.default_password_reset_value" which regulates this. You may set its value to false to show any errors. Using LogicBoxes module. When you go to URL /plugin/order/main/preconfig/domain click the TLD checkbox in my case .com, then click TRANSFER button you get "Congratulations, that domain is available." but it is a blank domain since user did not enter a domain. See attached picture. I'm not able to duplicate this. Not entering a domain says that it is not available. But I'm using the sandbox, and maybe that differs from a live account.
hadzo Posted December 2, 2013 Author Report Posted December 2, 2013 Tyson, I updated to 3.0.6 and the problem with Transfers always returning success is still there. Transfer will return success even if the domain is not unlocked and you can not order and transfer a locked domain. I know this is not a big deal for you but as user I am here to remind you what is important for the user since this confuses and makes problems for the customer and hence for the admin.
Cody Posted December 2, 2013 Report Posted December 2, 2013 Tyson, I updated to 3.0.6 and the problem with Transfers always returning success is still there. Transfer will return success even if the domain is not unlocked and you can not order and transfer a locked domain. I know this is not a big deal for you but as user I am here to remind you what is important for the user since this confuses and makes problems for the customer and hence for the admin. What does the log say [Tools] > [Logs] > [Module] when you perform the transfer? Sounds to me like whatever module you're using doesn't care that the domain is locked. That would be an issue outside of the control of Blesta.
hadzo Posted December 3, 2013 Author Report Posted December 3, 2013 What does the log say [Tools] > [Logs] > [Module] when you perform the transfer? Sounds to me like whatever module you're using doesn't care that the domain is locked. That would be an issue outside of the control of Blesta. I am not performing the transfer, I am talking about the first step of checking if the domain is available to transfer ot not.
Cody Posted December 3, 2013 Report Posted December 3, 2013 I am not performing the transfer, I am talking about the first step of checking if the domain is available to transfer ot not. I see. Well, Blesta has no way of knowing whether or not a domain can be transferred because the APIs that modules use to interface with registrars don't support such a query. So Blesta must assume that if you're intending to transfer a domain that you're aware of the steps required to perform the transfer from your existing registrar.
Recommended Posts