[Mahara-contributors] [Bug 1422492] Re: Mahara doesn't ask you for your password before deleting your account or changing your username
** Changed in: mahara Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1422492 Title: Mahara doesn't ask you for your password before deleting your account or changing your username Status in Mahara: Fix Committed Status in Mahara 18.10 series: Fix Committed Bug description: These, especially the first, seem like dangerous operations. Expected behavior is that Mahara would prompt for my current password to prevent someone deleting my user account if I left my account logged in. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1422492/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1422492] Re: Mahara doesn't ask you for your password before deleting your account or changing your username
** Also affects: mahara/18.10 Importance: Undecided Status: New ** Changed in: mahara/18.10 Milestone: None => 18.10.0 ** Changed in: mahara/18.10 Importance: Undecided => Medium ** Changed in: mahara/18.10 Status: New => Fix Committed -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1422492 Title: Mahara doesn't ask you for your password before deleting your account or changing your username Status in Mahara: Fix Committed Status in Mahara 18.10 series: Fix Committed Bug description: These, especially the first, seem like dangerous operations. Expected behavior is that Mahara would prompt for my current password to prevent someone deleting my user account if I left my account logged in. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1422492/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1422492] Re: Mahara doesn't ask you for your password before deleting your account or changing your username
** Changed in: mahara Status: Confirmed => In Progress -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1422492 Title: Mahara doesn't ask you for your password before deleting your account or changing your username Status in Mahara: In Progress Bug description: These, especially the first, seem like dangerous operations. Expected behavior is that Mahara would prompt for my current password to prevent someone deleting my user account if I left my account logged in. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1422492/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1422492] Re: Mahara doesn't ask you for your password before deleting your account or changing your username
Because of the fact a user can SSO in and so they do not have a valid password in Mahara itself we can't force them to re-enter their password to do the following: 1. Changing your username 2. Changing your primary email address (because this can make it impossible to recover your password) 3. Deleting your own account However we now have some more security around 2. Changing your primary email - we now have a check where when a new email address is being added to the account the existing email addresses get sent a 'heads up' message about the new email address. 3. Deleting your own account - we now have the ability to set a site setting where users deleting their accounts go to a pending confirmation queue which admins need to verify As for 1. Changing your username we could send email to user's accounts as a 'heads up' for this as well -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1422492 Title: Mahara doesn't ask you for your password before deleting your account or changing your username Status in Mahara: Confirmed Bug description: These, especially the first, seem like dangerous operations. Expected behavior is that Mahara would prompt for my current password to prevent someone deleting my user account if I left my account logged in. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1422492/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1422492] Re: Mahara doesn't ask you for your password before deleting your account or changing your username
** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2017-1000141 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1422492 Title: Mahara doesn't ask you for your password before deleting your account or changing your username Status in Mahara: Confirmed Bug description: These, especially the first, seem like dangerous operations. Expected behavior is that Mahara would prompt for my current password to prevent someone deleting my user account if I left my account logged in. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1422492/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1422492] Re: Mahara doesn't ask you for your password before deleting your account or changing your username
A problem here is if the user logged in via SSO they don't have/know a password in Mahara ** Changed in: mahara Milestone: 17.10.0 => 18.04.0 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1422492 Title: Mahara doesn't ask you for your password before deleting your account or changing your username Status in Mahara: Confirmed Bug description: These, especially the first, seem like dangerous operations. Expected behavior is that Mahara would prompt for my current password to prevent someone deleting my user account if I left my account logged in. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1422492/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1422492] Re: Mahara doesn't ask you for your password before deleting your account or changing your username
** Changed in: mahara Milestone: 17.04.0 => None ** Changed in: mahara Milestone: None => 17.10.0 ** Changed in: mahara Importance: Low => Medium -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1422492 Title: Mahara doesn't ask you for your password before deleting your account or changing your username Status in Mahara: Confirmed Bug description: These, especially the first, seem like dangerous operations. Expected behavior is that Mahara would prompt for my current password to prevent someone deleting my user account if I left my account logged in. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1422492/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1422492] Re: Mahara doesn't ask you for your password before deleting your account or changing your username
** Changed in: mahara Milestone: 16.10.1 => 17.04.0 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1422492 Title: Mahara doesn't ask you for your password before deleting your account or changing your username Status in Mahara: Confirmed Bug description: These, especially the first, seem like dangerous operations. Expected behavior is that Mahara would prompt for my current password to prevent someone deleting my user account if I left my account logged in. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1422492/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1422492] Re: Mahara doesn't ask you for your password before deleting your account or changing your username
** Changed in: mahara Milestone: 16.10.0 => 16.10.1 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1422492 Title: Mahara doesn't ask you for your password before deleting your account or changing your username Status in Mahara: Confirmed Bug description: These, especially the first, seem like dangerous operations. Expected behavior is that Mahara would prompt for my current password to prevent someone deleting my user account if I left my account logged in. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1422492/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1422492] Re: Mahara doesn't ask you for your password before deleting your account or changing your username
** Changed in: mahara Milestone: 16.04.0 => 16.10.0 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1422492 Title: Mahara doesn't ask you for your password before deleting your account or changing your username Status in Mahara: Confirmed Bug description: These, especially the first, seem like dangerous operations. Expected behavior is that Mahara would prompt for my current password to prevent someone deleting my user account if I left my account logged in. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1422492/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1422492] Re: Mahara doesn't ask you for your password before deleting your account or changing your username
** Changed in: mahara Milestone: 15.10.0 => 16.04.0 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1422492 Title: Mahara doesn't ask you for your password before deleting your account or changing your username Status in Mahara: Confirmed Bug description: These, especially the first, seem like dangerous operations. Expected behavior is that Mahara would prompt for my current password to prevent someone deleting my user account if I left my account logged in. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1422492/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1422492] Re: Mahara doesn't ask you for your password before deleting your account or changing your username
Indeed, if we wanted to be more secure, we could consider asking for password, and/or sending out email notifications, when certain user actions take place. I think maybe a good rule of thumb, is any action that can prevent you from being able to log in. So that would be: 1. Changing your password (we already ask for your current password for this) 2. Changing your username 3. Changing your primary email address (because this can make it impossible to recover your password) 4. Deleting your own account ** Changed in: mahara Status: New = Confirmed ** Changed in: mahara Importance: Undecided = Low ** Changed in: mahara Milestone: None = 15.10.0 ** Information type changed from Private Security to Public Security ** Tags added: snack-sized -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1422492 Title: Mahara doesn't ask you for your password before deleting your account or changing your username Status in Mahara ePortfolio: Confirmed Bug description: These, especially the first, seem like dangerous operations. Expected behavior is that Mahara would prompt for my current password to prevent someone deleting my user account if I left my account logged in. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1422492/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp