Forum Replies Created
-
AuthorPosts
-
LeicesterChris
ParticipantI can’t do that, unfortunately. If I repeat the action, our already annoyed member will get spammed with a reset password email yet again, and she’s pretty fed up already. She could even report us for breaching GDPR rules.
Simply entering *any* email address in the box sends an email to her address, and also exposes her email address to anyone else who clicks “Forgot Password”, as it comes up and says “New password has been sent to xxx” where xxx is her email address.
As a temporary measure I’ve edited the page so that instead of bringing up the [swpm_reset_form] it just asks the person to email me so I can reset their password manually.
LeicesterChris
ParticipantThanks very much for your reply. The membership tables are correct, and indeed when I click on “Forgot Password”, it doesn’t matter what email address I put in, it sends an email to the j**** address. That person is a genuine member, whom I emailed to see if she was getting a lot of spam and she confirmed that she’s been getting ALL password requests. I can’t do the test again, because it will send out spam to this person so I need to understand where and how this particular email address got embedded into the reset password form. Since memberships are due for renewal this month, a LOT of people have clicked “Forgot Password”, which means this particular member’s email address is then visible to all of them – which is in contravention of GDPR.
I was hoping there was a way I (or someone more technically capable than I) could peer “under the hood” to see the code that presumably must be incorporating this person’s email address.
LeicesterChris
ParticipantJust to give some further background – since it was impossible to log out, I added a redirection link after logout to take me to the login URL. That did allow me to log in as a different user, and the profile showed correctly. The fact it redirected implied that the system did think I’d logged out.
However, on the login page, if instead of logging in again I just went to the membership page – it still showed me as logged in as the OTHER user! This seems like a big security hole. It seems I can temporarily log in as a different user, but somewhere in the system the old user is still marked as being active.
I really hope there’s a workround for this, as the functionality otherwise is just what I want – but it really is essential for users to be able to log out.
LeicesterChris
ParticipantI’m having exactly the same problem, and even clearing cookies doesn’t work. Opening in an incognito doesn’t work. Same problem in both Chrome and Edge. Once I’m logged in, that’s it – it’s impossible to log out.
-
AuthorPosts