#812: change password without entering old
-----------------------+--------------------
Reporter: tim | Owner: nobody
Type: defect | Status: new
Priority: minor | Milestone:
Component: siteadmin | Version:
Keywords: |
-----------------------+--------------------
When you go to "preferences" and try to change your password, it always
asks for you to enter your old password in order to assign a new password.
This is a typical security feature to prevent a random person from using
an open machine and changing someone's password. However, if the user in
question is an admin user, that random person only needs to go through the
admin screens to be able to change the current user's password without
knowing the old one.
Should this be considered a security issue? Perhaps an admin shouldn't be
able to change their own password through the admin panel without entering
their own old password? Or is it a non-issue?
--
Ticket URL: <https://issues.apache.org/bloodhound/ticket/812>
Apache Bloodhound <https://issues.apache.org/bloodhound/>
The Apache Bloodhound issue tracker
