Because of the fact a user can SSO in and so they do not have a valid password in Mahara itself we can't force them to re-enter their password to do the following:
1. Changing your username
2. Changing your primary email address (because this can make it impossible to recover your password)
3. Deleting your own account
However we now have some more security around
2. Changing your primary email - we now have a check where when a new email address is being added to the account the existing email addresses get sent a 'heads up' message about the new email address.
3. Deleting your own account - we now have the ability to set a site setting where users deleting their accounts go to a pending confirmation queue which admins need to verify
As for
1. Changing your username
we could send email to user's accounts as a 'heads up' for this as well
Because of the fact a user can SSO in and so they do not have a valid password in Mahara itself we can't force them to re-enter their password to do the following:
1. Changing your username
2. Changing your primary email address (because this can make it impossible to recover your password)
3. Deleting your own account
However we now have some more security around
2. Changing your primary email - we now have a check where when a new email address is being added to the account the existing email addresses get sent a 'heads up' message about the new email address.
3. Deleting your own account - we now have the ability to set a site setting where users deleting their accounts go to a pending confirmation queue which admins need to verify
As for
1. Changing your username
we could send email to user's accounts as a 'heads up' for this as well