Expire the password reset link [datacenterlight, dynamicweb]
According to a customer report the reset link can be reused. The following changes are necessary:
- Expire after a certain time (I suggest 24h)
- Expire after one use
If feasible, I suggest to focus on ramping up the new user service, implement the change in there and then adjust dynamicweb to use the new user service. This will probably also include to register users in LDAP.
Mondi, if you have time we can work on it this weekend.