Mahara doesn't ask you for your password before changing your username
Bug #1422492 reported by
Aaron Barnes
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Medium
|
Unassigned | ||
18.10 |
Fix Released
|
Medium
|
Unassigned |
Bug Description
These, especially the first, seem like dangerous operations.
Expected behavior is that Mahara would prompt for my current password to prevent someone deleting my user account if I left my account logged in.
CVE References
Changed in mahara: | |
milestone: | 15.10.0 → 16.04.0 |
Changed in mahara: | |
milestone: | 16.04.0 → 16.10.0 |
Changed in mahara: | |
milestone: | 16.10.0 → 16.10.1 |
Changed in mahara: | |
milestone: | 16.10.1 → 17.04.0 |
Changed in mahara: | |
milestone: | 17.04.0 → none |
milestone: | none → 17.10.0 |
importance: | Low → Medium |
Changed in mahara: | |
status: | Confirmed → In Progress |
Changed in mahara: | |
status: | In Progress → Fix Committed |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Indeed, if we wanted to be more secure, we could consider asking for password, and/or sending out email notifications, when certain user actions take place. I think maybe a good rule of thumb, is any action that can prevent you from being able to log in. So that would be:
1. Changing your password (we already ask for your current password for this)
2. Changing your username
3. Changing your primary email address (because this can make it impossible to recover your password)
4. Deleting your own account