[Rt-devel] Need of Current Password

Kevin Falcone falcone at bestpractical.com
Fri Jun 11 12:17:37 EDT 2010


On Thu, Jun 10, 2010 at 02:40:15PM +0200, Emmanuel Lacour wrote:
> Seems it is needed that people with right SuperUser or AdminUsers have to
> enter their current password to change the password of someone else ...
> this seems very unusual to me?
> (same problem with new user creation)

This prevents an attacker from (possibly) being able to change another
user's password using an Admin's cookie/session.  Similarly, for a
normal user, it prevents the user's password from being changed
without typing their current password.

> Also, there seems to be a side effect with RT::Authen::ExternalAuth. If
> it's configured with both external and internal users, it is impossible
> for an external user with appropriate right to set a password for an
> internal user.

There is code that certainly tries to handle this, and uses IsPassword
which RT-Authen-ExternalAuth overrides.  The original code for this
feature was rototilled specifically to think about external auth
users.

If you can track down more of what is going on, it is probably
something that requires RT-Authen-ExternalAuth patching rather than
core patching.

-kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-devel/attachments/20100611/b288030d/attachment.pgp>


More information about the rt-devel mailing list