Password can be changed with only cookie authentication
Bug #829836 reported by
William Grant
This bug affects 6 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical SSO provider |
Fix Released
|
High
|
Tom Wardill |
Bug Description
SSO permits me to change my password without asking for the old one. This is pretty universally regarded as seriously bad practice.
Related branches
lp:~twom/canonical-identity-provider/confirm-password-before-changing
- Daniel Manrique (community): Approve
- Maximiliano Bertacchini: Approve
-
Diff: 338 lines (+98/-8)6 files modifiedsrc/identityprovider/forms.py (+18/-2)
src/identityprovider/tests/sso_server/test_home_page.py (+1/-0)
src/identityprovider/tests/test_forms.py (+23/-3)
src/identityprovider/tests/test_views_server.py (+3/-1)
src/webui/templates/widgets/passwords.html (+15/-0)
src/webui/tests/test_views_account.py (+38/-2)
lp:~twom/canonical-identity-provider/confirm-password-before-deleting
- Maximiliano Bertacchini: Approve
- Daniel Manrique (community): Approve
-
Diff: 142 lines (+61/-10)6 files modifiedsrc/identityprovider/forms.py (+14/-1)
src/identityprovider/static/css/all.css (+1/-1)
src/identityprovider/static_src/css/ubuntuone.css (+6/-0)
src/webui/templates/account/delete.html (+9/-1)
src/webui/tests/test_views_account.py (+23/-1)
src/webui/views/account.py (+8/-6)
Changed in canonical-identity-provider: | |
status: | New → Confirmed |
importance: | Undecided → High |
visibility: | private → public |
Changed in canonical-identity-provider: | |
assignee: | nobody → Tom Wardill (twom) |
Changed in canonical-identity-provider: | |
status: | Confirmed → In Progress |
Changed in canonical-identity-provider: | |
status: | In Progress → Fix Committed |
Changed in canonical-identity-provider: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
I agree, best practices dictate that changing your password is something that should reauthenticate you to prevent malicious apps or scripts from silently changing it.