Bug 52731 - Password reset ignores Password-History-Policy
Password reset ignores Password-History-Policy
Status: RESOLVED DUPLICATE of bug 55415
Product: UCS@school
Classification: Unclassified
Component: UMC - Password reset
UCS@school 4.4
Other other
: P4 normal with 1 vote (vote)
: ---
Assigned To: UCS@school maintainers
:
Depends on: 55415
Blocks:
  Show dependency treegraph
 
Reported: 2021-02-01 09:27 CET by Daniel Duchon
Modified: 2022-12-14 12:26 CET (History)
1 user (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.069
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2021013021000345
Bug group (optional): Security
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Duchon univentionstaff 2021-02-01 09:27:08 CET
Our customer complains about the following misconduct:

A teacher resets a student's password via School Administration -> Passwords (Students).

In doing so, the password history policy is rightly ignored.

Subsequently, the student logs in and has to change his password.

However, the password history policy is also ignored and the student can simply set his password to the previous value although this is supposed to be prevented by the global policy.

I've been able to reproduce this behavior in a test environment.


UCS@school-Version: 4.4 v8
Comment 1 Oliver Friedrich univentionstaff 2022-12-14 08:41:35 CET
Still occurs on UCS 5.0 with UCS@School 5.0 v3
Comment 2 Oliver Friedrich univentionstaff 2022-12-14 12:26:54 CET
Fixed in https://docs.software-univention.de/ucsschool-changelog/5.0v3/de/changelog.html#released-on-2022-11-17

*** This bug has been marked as a duplicate of bug 55415 ***