[wp-trac] [WordPress Trac] #20140: Ask old password to change user password
WordPress Trac
noreply at wordpress.org
Thu Aug 15 22:47:29 UTC 2013
#20140: Ask old password to change user password
-------------------------------------------------+-------------------------
Reporter: nprasath002 | Owner: tman4506
Type: feature request | Status: accepted
Priority: normal | Milestone: Awaiting
Component: Security | Review
Severity: normal | Version:
Keywords: has-patch dev-feedback needs- | Resolution:
refresh |
-------------------------------------------------+-------------------------
Changes (by iandunn):
* cc: ian.dunn@… (added)
* keywords: has-patch dev-feedback => has-patch dev-feedback needs-refresh
Comment:
+1
This was initially rejected in #4444, but I still think it's a good idea.
Most authentication systems employ this feature. Otherwise, an attacker
could just walk up to a laptop while the owner isn't looking and change
the password. It's easy to implement and doesn't place an unreasonable
burden on the user.
One of of the reasons it was rejected was that "Someone with such access
could install a backdoor, create a new user, or do any number of other
things to engineer future access", but that assumes the current user is an
Admin. They could be an Editor or other role.
Looks like the patch needs to be refreshed (and generated from / instead
of /wp-admin).
--
Ticket URL: <http://core.trac.wordpress.org/ticket/20140#comment:7>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list