Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create reset password doc #271

Merged
merged 4 commits into from
Nov 28, 2023
Merged

Conversation

mitsumaui
Copy link
Contributor

No description provided.

@netlify
Copy link

netlify bot commented Oct 29, 2023

Deploy Preview for actualbudget-website ready!

Name Link
🔨 Latest commit 5af37b2
🔍 Latest deploy log https://app.netlify.com/sites/actualbudget-website/deploys/6566216db9008f0008f4d65a
😎 Deploy Preview https://deploy-preview-271.www.actualbudget.org
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@github-actions

This comment has been minimized.

@rich-howell
Copy link
Contributor

Hey,

I am not sure this was ever supposed to be documented, if an attacker has access to run the commands you more than likely have more problems than resetting the password however it gives everyone (not just the budget owner) access to information on how to reset the budget password.

@mitsumaui
Copy link
Contributor Author

OK no worries if not - I figured if you had this message in the UI it might make sense to document the process - as it implies there is a process, and won't take long for a nefarious user to uncover that.
For the general user who might need to reset their password one is left wondering how when you advertise the capability.

https://github.com/actualbudget/actual/blob/master/packages/desktop-client/src/components/manager/subscribe/Login.tsx#L71

@MatissJanis
Copy link
Member

👋 This is great! I would be happy to merge it if you could solve the CI failures.

If an attacker has gained access to the server - he has access to the data file too. So the attacker can just read it without a password (as long as it's not e2e encrypted). So from that perspective: this is not introducing a new attack vector.

This comment has been minimized.

@MatissJanis MatissJanis merged commit f5addcc into actualbudget:master Nov 28, 2023
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants