I have a question about the following code in webaccessadmin_lib.py
(lines ~739)
def perform_modifyaccountstatus(req, userID, email_user_pattern,
limit_to, maxpage, page, callback='yes', confirm=0):
"""set a disabled account to enabled and opposite"""
...
res2 = run_sql("UPDATE user SET note=1 WHERE id=%s",
(userID, ))
output += """<b><span class="info">The account '%s' has
been activated.</span></b>""" % res[0][1]
if CFG_ACCESS_CONTROL_NOTIFY_USER_ABOUT_ACTIVATION == 1:
password = int(random.random() * 1000000)
run_sql("UPDATE user SET password=AES_ENCRYPT(email,
%s) "
"WHERE id=%s", (password, userID))
emailsent = send_account_activated_message(res[0]
[1], res[0][1], password)
The first line enables the account, but later down where it proceeds
to send the user an email about the activation the lines:
password = int(random.random() * 1000000)
run_sql("UPDATE user SET password=AES_ENCRYPT(email,
%s) "
"WHERE id=%s", (password, userID))
reset the password to something completely random!
Is there a (security) reason for this? I think it would make sense
to get rid of the run_sql command.
Cheers,
Mike
