Project

General

Profile

Actions

Feature #99611

open

Require current password in ext:setup on password change

Added by Torben Hansen almost 2 years ago. Updated about 1 month ago.

Status:
New
Priority:
Should have
Assignee:
Category:
Authentication
Start date:
2023-01-18
Due date:
% Done:

0%

Estimated time:
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

When a backend user want to change the password, it is currently not required to enter the current password. From a security perspective, a current password verification should be implemented (see https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#change-password-feature).

Actions #1

Updated by Torben Hansen almost 2 years ago

For editor users, this feature is already implemented. The field is just not visible, if the current backend user is in switch user mode.

Actions #2

Updated by Benni Mack over 1 year ago

  • Target version changed from 12 LTS to Candidate for Major Version
Actions #3

Updated by Torben Hansen 9 months ago

  • Assignee changed from Torben Hansen to Oliver Hader
  • Target version changed from Candidate for Major Version to 13 LTS
Actions #4

Updated by Garvin Hicking 4 months ago

  • Category set to Authentication
Actions #5

Updated by Benni Mack about 1 month ago

  • Target version changed from 13 LTS to Candidate for Major Version
Actions

Also available in: Atom PDF