enapps-enorman
commented
6 years ago Please consider the pull request at https://github.com/ist-dresden/composum/pull/145 to resolve the problem.
Closed enapps-enorman closed 4 years ago
enapps-enorman
commented
6 years ago Please consider the pull request at https://github.com/ist-dresden/composum/pull/145 to resolve the problem.
stoerr
commented
4 years ago This is fixed and has been merged into v 1.10.0, so I'm closing this.
The change password form doesn't ask for the old password before allowing the user to change it. This means that if you are logged in and I sit down at your computer, I can lock you out of your account and transfer ownership to myself without knowing your password. Or some script injected into the page via some other means could do the same automatically without your knowledge.
Expected: Only the admin user should be allowed to change the password of a user without knowing the old password.