Feature #35627
closed
FE Ask for old password before allowing to change password
Added by Nicolas Bonvin over 12 years ago.
Updated over 8 years ago.
Description
Following security best practices, a user should be able to update his password only when giving the previous password. Currently, no need to know the old password to change it.
- Category set to felogin
- Status changed from New to Accepted
I guess you mean frontend users, don't you? If so, this belongs to EXT:felogin, otherwise we would need to add this to the backend user settings module code.
feature request is valid for BE and FE
- Subject changed from Ask for old password before allowing to change password to FE Ask for old password before allowing to change password
Maybe I'm not right, but imo the target of the felogin change password is to allow a frontend user to change its password when he forgot it (by sending him an email with a link containing the 'forgothash'). So it wouldn't be very helpful to require the old one in this case.
- Target version set to 7.5
- Target version changed from 7.5 to 8 LTS
- Status changed from Accepted to Rejected
In the frontend, we do not have any password editing functionality, where this can be applied. We only have "password forgot" functionality, where applying this does not make much sense for obvious reasons.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by