Why Auth::update_user needs the "oldpassword" field?

[webjoaoneto]

So, I have this doubt, because the officilal documentation says that for security reasons the measure needs to be taken.

but if I just do this in the code:

$new_password = Auth::reset_password( $user->username ); \Auth::update_user( array( 'old_password' => $new_password, //security, why? 'password' => Input::post( 'password' ), 'lostpassword_hash' => null, 'lostpassword_created' => null ), $user->username );

All works.

Weird, but maybe I ever understand. Thanks =)

[kenjis]

Your code is disabling Fuel's security measure. oldpassword is for reducing user damage in your site.

Generally speaking, if you don't know why it is needed for security, you should not disable the functionality.

[WanWizard]

It is for exactly the same reason as why lots of sites ask you for your password if you want to make changes, even though you are logged in. You want to be absolutely sure it is the user that makes the changes, not someone else that got access to a logged-in application...

[webjoaoneto]

Ok, but what user has access to the source code of the project? Require a oldpassword on the Auth model is totally irrelevant from a security point of view, after the "user" can change the source code of the project, I think it will not be what will prevent you from changing a password. To why I did it myself above.

Even I had to open this issue for not understanding how this was done. for example, on my system the Administrator can access their clients and change their passwords (and any other info) via backend. But the framework for security reasons does not want me to do it, apparently.

[WanWizard]

You lost me.

A person that has access to the code, and has access to a running application, is not a user. That is a developer, an administrator, or a hacker. And all three have direct access to the database too, so what is your point?

The update_user() function was made to allow an END-USER to update information about her/himself through some sort of profile page in your application. And to prevent other people from doing that (for example because the END-USER went into a meeting and forgot to logoff, or because the application was build with a remember-me cookie and the END-USER's laptop was stolen) the END-USER is prompted for her/his own password, to ensure it is the users own profile.

If your question is "how can I implement a password change for an existing user", you should ask so. And you would have gotten an answer. For example by referring to this forum post of 2011: http://fuelphp.com/forums/discussion/5758

There is no reason for a developer to want to write code to change a password. It is not your password, it is the END-USERs password, so only the END-USER can change it, either through a form in which also the current password is given (which is what update_user is for), or through a password recovery mechanism (which is documented, including an example).