Description of problem: I tried to log a bug against F11 today. Bugzilla told me that my password had expired, and needed to be reset. To do this required my old password, which I'd forgotten. Bugzilla won't let me into the "I've forgotten my password" page until I've reset my expired password. Which I can't do because I don't know what it is. Version-Release number of selected component (if applicable): No idea. Whatever's live at https://bugzilla.redhat.com/ How reproducible: Every time
I have updated your password to a temp value and emailed it to your address. This should get you going. We will look into the issue though of allowing a forgotten password to be mailed even if it is expired and then allow it to be changed once the person is able to login once. Dave
I just got bit by this bug (my notes are below, fwiw), and I do have a few wrinkles to add. I opened a different browser that didn't have my same login cookie stored (Seamonkey) and ran against a problem if it instantly thinking I had made too many password reset requests. Something in the earlier process of trying to get to a password reset page in the first browser-w/-login-cookie (Firefox) seemed to increment a counter? Here are my notes; my password is now recovered. I used Seamonkey and got it to issue a reset token. Perhaps the administrative password reset unjammed the queue of reset token emails? Password expiry feedback loop. 1. Came to bz.r.c with browser that had a login cookie; receive notice about expired password. 2. Uh, oh, the password I thought was just-expired is wrong; how do I recover it? 3. Try to go to the password recovery page; it sends you back to the password expiry page. Oops. 4. Open a different browser that doesn't have a login cookie for that user, go to password recovery page. 5. Receive error that too many password reset tokens were issued in too short a time. Is a step in there issuing a password reset token? Not that I received, but maybe something is incremented. The password recovery page needs to be outside of the "password expiry, reset" page. Toshio was resetting my password for me, using an administrative password reset. At the same time, I was trying to document the bug steps, and tried step 4. again, this time with success. My inbox had 8 "Password change request canceled" notices, all issued today or the day before (when I last worked on this.) Odd message, too: A request was canceled from 1. If you did not request this, it could be either an honest mistake or someone attempting to break into your Red Hat Bugzilla +account. Take a look at the information below and forward this email to bugzilla-owner if you suspect foul play. Token: 0123456789 // Changed from actual issued token Token Type: password User: kwade Issue Date: 2009.10.21 03:23:18 Event Data: 1 Canceled Because: You have logged in.
We are removing the password expiration functionality from Bugzilla for the next release which should be due in the beginning of January. The release of Bugzilla 3.6 shortly after will us to develop this feature as a plugin so that we can reimplement it in a more sane fashion. I am closing this as this should happen before the next expiration happens. Dave