https://bugzilla.wikimedia.org/show_bug.cgi?id=27060
Summary: Users should be asked for their passwords when setting new email addresses Product: MediaWiki Version: 1.16.1 Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: Normal Component: User preferences AssignedTo: wikibugs-l@lists.wikimedia.org ReportedBy: liang...@gmail.com CC: agarr...@wikimedia.org I assume our check for old password in Special:Resetpass is for prevent the case that I change someone's password when I'm using his computer and he didn't log out his account. However our allowance for setting a new email address without typing password again makes this check useless. Since I can change/set his email address to mine, and request a new password. In this way I can get his account without knowing his old password. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l