New user password change doesn't actually require a password change.
When creating a new user, if you select "password change" checkbox to force a password change on the first login, the user will be prompted appropriately, but he doesn't actually have to supply a different password. It can be the exact same password he first logged on with.
In fact, if you go to @_admin/my_account/password@ after logging in, and execute a change of password, you can put the same password in all three fields, and it will be successful. Its as though we're not doing any checking at all.
Some thoughts I have:
If we're going to include a "force change" for new users, it should actually force a change, and not allow me to simply use the same password over again.
For password changes on a logged in user:
a. If we don't care that it's the same password, then we should simply offer a field for the new password, because the old one doesn't really matter.
b. If we DO care that it's the same, then we should be checking, just like on new user logins.
What do you guys think?
#6 Updated by Daniel D over 3 years ago
Should never allow password changes without entering a current password for the case when a bad party finds a logged in user and can change the password. In fact this should also probably be done to email as well since it can be used to reset the password via 'forgot password' functionality.
#7 Updated by Redmine Integration over 3 years ago
pullrequest created, https://internal-code.rhodecode.com/rhodecode-enterprise-ce/pull-request/2532, (status: under_review)
#9 Updated by Redmine Integration over 3 years ago
- Status changed from In Progress to Resolved
#10 Updated by Redmine Integration over 3 years ago
pullrequest merged, https://internal-code.rhodecode.com/rhodecode-enterprise-ce/pull-request/2532, (status: approved)