soc-pe-bot
commented
10 months ago Team's Response
Thanks for your feedback.
We decided to allow for the usage of recover account as a shortcut to editing the password (when logged-in), relative to calling the update command (which has multiple fields and is more general). Granted, this inclusion does make the workflow slightly weird, but it does not cause any harm to the user data (i.e., showing Customer and Delivery data pre-login which we protected against) nor does it cause any other adverse behavior to the application. Instead, we would argue that it provides greater flexibility for a user to change his/her password.
There is a conscious decision to leave it.
Items for the Tester to Verify
:question: Issue response
Team chose [response.Rejected]
- [ ] I disagree
Reason for disagreement: [replace this with your explanation]
Logged in user should not be able to access recover account command because it does not make sense when someone is logged in and able to recover account. Perhaps can change the command name to be change password instead of recover account for logged in user. Recover account makes sense only for logged out users. In terms of user workflow, the ability to access and run the command for logged in user just doesn't make sense.