e56dc8f299
Summary: Fixes T5506. Depends on D10133. When users remove an email address or change their primary email address, invalidate any outstanding password reset links. This is a very small security risk, but the current behavior is somewhat surprising, and an attacker could sit on a reset link for up to 24 hours and then use it to re-compromise an account. Test Plan: - Changed primary address and removed addreses. - Verified these actions invalidated outstanding one-time login temporary tokens. - Tried to use revoked reset links. - Revoked normally from new UI panel. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T5506 Differential Revision: https://secure.phabricator.com/D10134
Phabricator is an open source collection of web applications which help software companies build better software. Phabricator includes applications for: - reviewing and auditing source code; - hosting and browsing repositories; - assembling a party to venture forth; - tracking bugs; - hiding stuff from coworkers; and - also some other things. You can learn more about the project (and find links to documentation and resources) [[http://phabricator.org/ | here]]. Phabricator is developed and maintained by [[http://phacility.com/ | Phacility]]. The first version of Phabricator was originally built at Facebook. = LICENSE = Phabricator is released under the Apache 2.0 license except as otherwise noted.