Because of the fact a user can SSO in and so they do not have a valid password in Mahara itself we can't force them to re-enter their password to do the following:
1. Changing your username 2. Changing your primary email address (because this can make it impossible to recover your password) 3. Deleting your own account However we now have some more security around 2. Changing your primary email - we now have a check where when a new email address is being added to the account the existing email addresses get sent a 'heads up' message about the new email address. 3. Deleting your own account - we now have the ability to set a site setting where users deleting their accounts go to a pending confirmation queue which admins need to verify As for 1. Changing your username we could send email to user's accounts as a 'heads up' for this as well -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1422492 Title: Mahara doesn't ask you for your password before deleting your account or changing your username Status in Mahara: Confirmed Bug description: These, especially the first, seem like dangerous operations. Expected behavior is that Mahara would prompt for my current password to prevent someone deleting my user account if I left my account logged in. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1422492/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
