[Rt-devel] Need of Current Password
elacour at easter-eggs.com
Fri Jun 11 13:48:29 EDT 2010
On Fri, Jun 11, 2010 at 12:17:37PM -0400, Kevin Falcone wrote:
> This prevents an attacker from (possibly) being able to change another
> user's password using an Admin's cookie/session.
so this attacker cannot change the user password, but can do everything
> Similarly, for a normal user, it prevents the user's password from
> being changed without typing their current password.
for a "normal user", why not, it's a common practice.
> > Also, there seems to be a side effect with RT::Authen::ExternalAuth. If
> > it's configured with both external and internal users, it is impossible
> > for an external user with appropriate right to set a password for an
> > internal user.
> There is code that certainly tries to handle this, and uses IsPassword
> which RT-Authen-ExternalAuth overrides. The original code for this
> feature was rototilled specifically to think about external auth
I saw this :)
> If you can track down more of what is going on, it is probably
> something that requires RT-Authen-ExternalAuth patching rather than
> core patching.
Sure, I will try to track this next week. Once the problem will be
identified I will open a bug in the right bug report ;)
More information about the rt-devel