[
https://issues.apache.org/jira/browse/FINERACT-516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16994359#comment-16994359
]
Michael Vorburger commented on FINERACT-516:
--------------------------------------------
>From what I understand of https://github.com/openMF/community-app/issues/2428
>and from a quick review of the above PR, I think what we would want to do here
>is to SEND the user's proposed current password in an additional field of the
>REQUEST to send a user's password, so that the back-end code can double check
>it? We would however NEVER want to RETURN the user's current password from
>the back-end to any front-ends in any API RESPONSE, agreed? But the propose
>PR (#639), from what little I understand, seems to propose to add
>currentPassword to RESPONSE_DATA_PARAMETERS in UsersApiResource.java - is that
>right?
It would also be good to have an integration test covering for this in that PR.
> Add current password field to prevent unauthorized users from changing
> password of the current user #2428
> ---------------------------------------------------------------------------------------------------------
>
> Key: FINERACT-516
> URL: https://issues.apache.org/jira/browse/FINERACT-516
> Project: Apache Fineract
> Issue Type: Improvement
> Components: User Management
> Reporter: Santosh Math
> Assignee: Markus Geiss
> Priority: Major
> Labels: gsoc, p2
> Attachments: 29419719-81d3d36a-8378-11e7-9ad4-20074c6627cd.png
>
>
> Reported by Nenge1
> Link,
> Mifos dropdown->profile>change password (check the screenshot)
> Allowing user to enter only new password increase vulnerability because the
> username is visible.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
