Skip to content

[cloud][CLOUD-127] Disable site-admin access to reset password link on Cloud

Administrator requested to merge CLOUD-127 into main

Created by: kopancek

Description

Disable site-admin access to reset password link on Cloud. Exposing the password reset link could lead to hostile user account takeover by a bad acting site-admin. This would have bad impact on the security reputation of sourcegraph.com

Screenshots

Old behaviour

This is the current behaviour. We will continue behaving like this if not on cloud Screenshot 2021-11-11 at 16 06 37

New behavior

Only applicable to Cloud Screenshot 2021-11-11 at 17 11 17

Testing locally

To test this change locally, do the following:

Old behavior

  1. Run sg start enterprise
  2. Make sure you have at least 2 users, one of which is site-admin
  3. Login as a site-admin and go to https://sourcegraph.test:3443/site-admin/users
  4. Click on Reset password button of the other user
  5. You should see the reset password link in the success message (old behavior mentioned above)

New behavior

  1. Run sg start cloud
  2. Make sure you have at least 2 users, one of which is site-admin
  3. Login as a site-admin and go to https://sourcegraph.test:3443/site-admin/users
  4. Click on Reset password button of the other user
  5. You should NOT see the reset password link in the success message (new behavior mentioned above)

Merge request reports