Skip to content

[FIX] Adding a password change verification before perform profile update. (15569) #15677

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tobiasbu wants to merge 1 commit into from
Closed

[FIX] Adding a password change verification before perform profile update. (15569) #15677

tobiasbu wants to merge 1 commit into from

Conversation

@tobiasbu
Copy link

@tobiasbu tobiasbu commented Oct 25, 2019

Closes #15569

Hey, first PR here,

This PR is a possible solution for the 15569 issue.
Basically, I added a comparative method in the server that checks the current password hash with the new password digest.
In the client, when user perform profile update in My Account >Profile, the 'comparison function' is called.

This happens before opening the password confirmation modal window:

  • request to the server if the new password is not the same as the previous one
  • if yes, opens the confirmation window
  • otherwise, throw a toast error

@CLAassistant
Copy link

CLAassistant commented Oct 25, 2019
edited
Loading

CLA assistant check
All committers have signed the CLA.

@ggazzo ggazzo added this to the 2.3.0 milestone Nov 14, 2019
@rodrigok
Copy link
Member

rodrigok commented Dec 22, 2019

Hi @tobiasbu thanks for your contribution.

I agree with this new verification step, but it should be responsibility of the server side only.

Can you move the check here?

@rodrigok rodrigok modified the milestones: 2.3.0, 3.0.0 Dec 22, 2019
@ashwaniYDV
Copy link
Contributor

ashwaniYDV commented Jan 26, 2020
edited
Loading

@rodrigok I think the main problem is to prevent user from setting the same initial password when admin requests them to change their password(due to some security reasons). I think this PR does not solves it. It only allows the user to not set the same previous password while editing profile which is not a security threat. User may set the same password from profile but has to set a different password if admin forces them to do so.

@engelgabriel engelgabriel modified the milestones: 3.0.0, 3.1.0 Mar 17, 2020
@engelgabriel engelgabriel modified the milestones: 3.1.0, 3.2.0 Apr 20, 2020
@rodrigok
Copy link
Member

rodrigok commented May 7, 2020
edited
Loading

Closed in favor of #16331

@rodrigok rodrigok closed this May 7, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

3.2.0

Development

Successfully merging this pull request may close these issues.

Change password should not accept the current user password.

6 participants

@tobiasbu @CLAassistant @rodrigok @ashwaniYDV @engelgabriel @ggazzo