[rt-users] setting a password for a user

Kevin Falcone falcone at bestpractical.com
Tue Jan 20 10:26:34 EST 2015


On Fri, Jan 16, 2015 at 02:56:42PM -0500, Boris Epstein wrote:
> I guess the question still remains, what is the rational behind me being unable
> to do so just as a user with admin privileges.

RT requires an admin password to change another password so that
nobody can trick you into clicking on a link that would change (say
root's) password.  This was further mitigated by CSRF protections, but
still seems like a reasonable security precaution.

RT does not know your password when you use RT-Authen-ExternalAuth,
thus it cannot require you to enter it.

RT-Authen-ExternalAuth could be extended to make that additional query
and support it, however, that's nontrivial development and not
currently planned.  If it's something you require, patches are
welcome, or I'm happy to put you in touch with sales.

-kevin

>             Here is a discussion I found on the topic:
> 
>             [5]http://www.gossamer-threads.com/lists/rt/users/99177
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 221 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20150120/7d2618a5/attachment.pgp>


More information about the rt-users mailing list