Project

General

Profile

Actions

Task #5386

open

Increase security for Email Change

Added by Marcin Kuzminski [CTO] over 6 years ago. Updated about 6 years ago.

Status:
Resolved
Priority:
Normal
Category:
-
Target version:
Start date:
13.09.2017
Due date:
% Done:

80%

Estimated time:
Sorting:
Commit Number:

Description

We already require OLD password when changing the current user password, but email is another way to recover an account. If hacker is able to access open instance of RC he can trigger an email change and change the password after that.
Proposed idea to fix this is:

  • Make email a select field instead of text input
  • Inside the input we allow user to pick any of the addresses added via extra emails
  • In order to change an email user needs to add a new email from additional emails, this needs to require a password, and then he can select a new email from the entry.

THis should force users to give current password to change the email


Related issues 1 (1 open0 closed)

Related to RhodeCode CE/EE - Task #5391: Secure Email changeResolved21.09.2017

Actions
Actions #1

Updated by Marcin Kuzminski [CTO] over 6 years ago

  • Status changed from New to In Progress
Actions #2

Updated by Anonymous over 6 years ago

-- deleted spam comment ---

Actions #3

Updated by Marcin Kuzminski [CTO] about 6 years ago

  • Target version changed from v4.11 to v4.12
Actions #4

Updated by Marcin Kuzminski [CTO] about 6 years ago

  • Assignee set to Bartłomiej Wołyńczyk
Actions #5

Updated by Marcin Kuzminski [CTO] about 6 years ago

  • Related to Task #5391: Secure Email change added
Actions #6

Updated by Bartłomiej Wołyńczyk about 6 years ago

  • % Done changed from 0 to 80
Actions #7

Updated by Bartłomiej Wołyńczyk about 6 years ago

  • Status changed from In Progress to Resolved
  • Assignee changed from Bartłomiej Wołyńczyk to Marcin Kuzminski [CTO]
Actions

Also available in: Atom PDF