339413 – Changing password should require old password

Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 339413 - Changing password should require old password

Summary: Changing password should require old password

Status:	RESOLVED FIXED

Alias:	None

Product:	Orion
Classification:	ECD
Component:	Client (show other bugs)
Version:	0.2
Hardware:	PC Windows 7

Importance:	P3 normal (vote)
Target Milestone:	0.2
Assignee:	Malgorzata Janczarska
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-03-09 14:05 EST by John Arthorne
Modified:	2011-09-01 11:43 EDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Arthorne

2011-03-09 14:05:46 EST

Currently I can change a password without knowing my old password. This is bad because:

- If someone accessed my machine when I'm not looking, they can change my password
- If malicious code somehow gets into our pages it can invoke the service to change passwords without knowing the current one.

However the admin user needs to be able to change passwords without knowing the old one, for the case where the user has forgotten their password. So, I suggest:

The service call to change password accept both old and new passwords. If the currently authenticated user is the administrator, the old password is not ignored/not required. If the currently authenticated user is not the administartor, we check for a match on the old password before processing the request.

Comment 1 Malgorzata Janczarska

2011-05-06 11:10:40 EDT

done