Ask Questions and Find Answers
Important:
Ask is now read-only. You can review any existing questions and answers, but not add anything new.
But - don't panic! While ask is no more, we've replaced it with discuss - the new Liferay Discussion Forum! Read more here here or just visit the site here:
discuss.liferay.com
Disabling password change notification
In 7.X whenever the password is changed, users receive email with new password. This email is potential security risk (contains both email and password), moreover gives the user information which is knows to him. The user can simply reset his password if he forget it again.
I'd expect a single option for disabling this feature. However, to modify notification code it is necessary to create a UserLocalServiceImpl.java wrapper, which has to override almost all methods. While this code can tweak some notifications, especially the password change notification seems to be sent via the original method, not the wrapper (no wrapper breakpoint is hit in this case).
It is discussed in this thread https://liferay.dev/forums/-/message_boards/message/97545179
I'd expect a single option for disabling this feature. However, to modify notification code it is necessary to create a UserLocalServiceImpl.java wrapper, which has to override almost all methods. While this code can tweak some notifications, especially the password change notification seems to be sent via the original method, not the wrapper (no wrapper breakpoint is hit in this case).
It is discussed in this thread https://liferay.dev/forums/-/message_boards/message/97545179
I haven't realized that notification body could be rephrased in a smart way so it brings the user confirmation his account was not hacked. In a same way as it is implemented in this forum.
The current body in our portal which contains the passsword was migrated from old LR version. It was neglected as not used. I suppose the content was just slightly updated default from old LR version. The current default is most likely completely different.
It would be nice to have a single option to disable this feature, but as said, in the end I find this feature useful.
The current body in our portal which contains the passsword was migrated from old LR version. It was neglected as not used. I suppose the content was just slightly updated default from old LR version. The current default is most likely completely different.
It would be nice to have a single option to disable this feature, but as said, in the end I find this feature useful.
Copyright © 2025 Liferay, Inc
• Privacy Policy
Powered by Liferay™