Feature #35627
closed
FE Ask for old password before allowing to change password
0%
Description
Following security best practices, a user should be able to update his password only when giving the previous password. Currently, no need to know the old password to change it.
Updated by Andreas Wolf about 12 years ago
- Category set to felogin
- Status changed from New to Accepted
I guess you mean frontend users, don't you? If so, this belongs to EXT:felogin, otherwise we would need to add this to the backend user settings module code.
Updated by Georg Ringer about 12 years ago
feature request is valid for BE and FE
Updated by Georg Ringer about 12 years ago
- Subject changed from Ask for old password before allowing to change password to FE Ask for old password before allowing to change password
Updated by Christian Futterlieb about 12 years ago
Maybe I'm not right, but imo the target of the felogin change password is to allow a frontend user to change its password when he forgot it (by sending him an email with a link containing the 'forgothash'). So it wouldn't be very helpful to require the old one in this case.
Updated by 
Updated by
Updated by Helmut Hummel almost 8 years ago
- Status changed from Accepted to Rejected
In the frontend, we do not have any password editing functionality, where this can be applied. We only have "password forgot" functionality, where applying this does not make much sense for obvious reasons.