Y
Hacker News
new
|
ask
|
show
|
jobs
by
sopooneo
3666 days ago
Shouldn't this risk be mitigated with authorization rules? Or do we assume we are delivering pages without any type of auth first?
1 comments
dennisgorelik
3666 days ago
You should allow to reset password to the users without authentication (and therefore without authorization).
That's the nature of password reset link.
link
sopooneo
3665 days ago
Oh of course. Good point.
link
That's the nature of password reset link.