[TYPO3-core] RFC: #10017: [felogin] New Method for "forgotPassword"

[Marcus Krause]

Steffen Kamper schrieb am 12/26/2008 07:26 PM Uhr:
> Hi olly,
> 
> Oliver Hader schrieb:
>> Hi Steffen,
>>
>> Steffen Kamper schrieb:
>>> This is SVN patch request.
>>>
>>> Type: Feature
>>>
>>> Branches: trunk
>>>
>>> BT reference: http://bugs.typo3.org/view.php?id=9885
>>
>> We should get rid of sending the plain-text password in general and use
>> something like Bernhard's MD5PW extension or even better the new salted
>> one. I know that there are more steps to be taken (e.g. also provide
>> update wizard to convert existing FE users if still plain-text method is
>> used). So, what do you think?
>>
> 
> yes. There is the plan to create a core class like t3lib_crypt having
> md5, salt, sha etc.
> At the moment i suggest the salt extension from security team, which
> comes with an update wizard to convert the existing passwords.
> 
>> I looked into your patch for some minutes and have some remarks:
>> * there are the POST/GET arguments 'forgot_hash' and 'forgothash' - are
>> there differences?
> 
> yes, there is
> 
> forgot_hash is the $_POST-var, forgothash is the $_GET-var generated for
> the "change password"-link in the email.
> 
> 
>> * there's a new method changePassword(), but where is it called?
>>
> 
> shame on me, 2 lines missing in the trunk patch, is in now in attached
> patch.

For the record:
I've read and tested trunk-v2 patch; it does not properly apply to
(current) trunk, creates a new line after "?>" at least here;
furthermore a locallang identifier used in pi1 is missing in locallang.xml

Marcus.