[
https://issues.apache.org/jira/browse/JSPWIKI-45?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12546128
]
Andrew Jaquith commented on JSPWIKI-45:
---------------------------------------
Agreed. This isn't blocking 2.6, though; it is something we should fix in 3.0
for sure.
> Password change process should require old password
> ---------------------------------------------------
>
> Key: JSPWIKI-45
> URL: https://issues.apache.org/jira/browse/JSPWIKI-45
> Project: JSPWiki
> Issue Type: Improvement
> Components: Authentication&Authorization
> Affects Versions: 2.4.104, 2.5.139-beta, 2.6.0
> Reporter: Janne Jalkanen
> Fix For: 3.0
>
>
> UserProfile.jsp does not require you to type in your old password to change
> the new password. This can be a problem if you inadvertently leave your
> computer open and someone gains access to it.
> I think the old password should probably be required to change the email
> address as well, or else it could be used to restore the backend.
> (From Ounce)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
