Because of the fact a user can SSO in and so they do not have a valid
password in Mahara itself we can't force them to re-enter their password
to do the following:

1. Changing your username
2. Changing your primary email address (because this can make it impossible to 
recover your password)
3. Deleting your own account

However we now have some more security around

2. Changing your primary email - we now have a check where when a new email 
address is being added to the account the existing email addresses get sent a 
'heads up' message about the new email address.
3. Deleting your own account - we now have the ability to set a site setting 
where users deleting their accounts go to a pending confirmation queue which 
admins need to verify

As for

1. Changing your username

we could send email to user's accounts as a 'heads up' for this as well

You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask 
on #mahara-dev or forum before editing or unsubscribing it!

  Mahara doesn't ask you for your password before deleting your account
  or changing your username

Status in Mahara:

Bug description:
  These, especially the first, seem like dangerous operations.

  Expected behavior is that Mahara would prompt for my current password
  to prevent someone deleting my user account if I left my account
  logged in.

To manage notifications about this bug go to:

Mailing list:
Post to     :
Unsubscribe :
More help   :

Reply via email to