[Rt-devel] Need of Current Password

Emmanuel Lacour elacour at easter-eggs.com
Fri Jun 11 13:48:29 EDT 2010


On Fri, Jun 11, 2010 at 12:17:37PM -0400, Kevin Falcone wrote:
> 
> This prevents an attacker from (possibly) being able to change another
> user's password using an Admin's cookie/session.  

so this attacker cannot change the user password, but can do everything
else ...

> Similarly, for a normal user, it prevents the user's password from
> being changed without typing their current password.
> 

for a "normal user", why not, it's a common practice.

> > Also, there seems to be a side effect with RT::Authen::ExternalAuth. If
> > it's configured with both external and internal users, it is impossible
> > for an external user with appropriate right to set a password for an
> > internal user.
> 
> There is code that certainly tries to handle this, and uses IsPassword
> which RT-Authen-ExternalAuth overrides.  The original code for this
> feature was rototilled specifically to think about external auth
> users.
> 

I saw this :)

> If you can track down more of what is going on, it is probably
> something that requires RT-Authen-ExternalAuth patching rather than
> core patching.
> 

Sure, I will try to track this next week. Once the problem will be
identified I will open a bug in the right bug report ;)



More information about the rt-devel mailing list