Need of Current Password

Seems it is needed that people with right SuperUser or AdminUsers have to
enter their current password to change the password of someone else …
this seems very unusual to me?
(same problem with new user creation)

Also, there seems to be a side effect with RT::Authen::ExternalAuth. If
it’s configured with both external and internal users, it is impossible
for an external user with appropriate right to set a password for an
internal user.

Seems it is needed that people with right SuperUser or AdminUsers have to
enter their current password to change the password of someone else …
this seems very unusual to me?
(same problem with new user creation)

It makes sure someone doesn’t walk up to your PC and do something nasty
when you’re getting coffee. :slight_smile: Mind you, there are worse things they
could do. It also makes sure you don’t accidentally change someone’s
password when updating their profile.

Also, there seems to be a side effect with RT::Authen::ExternalAuth. If
it’s configured with both external and internal users, it is impossible
for an external user with appropriate right to set a password for an
internal user.

It’s probably only checking your internal password, which may or may not
be set.

Jeff

Seems it is needed that people with right SuperUser or AdminUsers have to
enter their current password to change the password of someone else …
this seems very unusual to me?
(same problem with new user creation)

This prevents an attacker from (possibly) being able to change another
user’s password using an Admin’s cookie/session. Similarly, for a
normal user, it prevents the user’s password from being changed
without typing their current password.

Also, there seems to be a side effect with RT::Authen::ExternalAuth. If
it’s configured with both external and internal users, it is impossible
for an external user with appropriate right to set a password for an
internal user.

There is code that certainly tries to handle this, and uses IsPassword
which RT-Authen-ExternalAuth overrides. The original code for this
feature was rototilled specifically to think about external auth
users.

If you can track down more of what is going on, it is probably
something that requires RT-Authen-ExternalAuth patching rather than
core patching.

-kevin

This prevents an attacker from (possibly) being able to change another
user’s password using an Admin’s cookie/session.

so this attacker cannot change the user password, but can do everything
else …

Similarly, for a normal user, it prevents the user’s password from
being changed without typing their current password.

for a “normal user”, why not, it’s a common practice.

Also, there seems to be a side effect with RT::Authen::ExternalAuth. If
it’s configured with both external and internal users, it is impossible
for an external user with appropriate right to set a password for an
internal user.

There is code that certainly tries to handle this, and uses IsPassword
which RT-Authen-ExternalAuth overrides. The original code for this
feature was rototilled specifically to think about external auth
users.

I saw this :slight_smile:

If you can track down more of what is going on, it is probably
something that requires RT-Authen-ExternalAuth patching rather than
core patching.

Sure, I will try to track this next week. Once the problem will be
identified I will open a bug in the right bug report :wink:

If you can track down more of what is going on, it is probably
something that requires RT-Authen-ExternalAuth patching rather than
core patching.

Sure, I will try to track this next week. Once the problem will be
identified I will open a bug in the right bug report :wink:

RTR-Authen-ExternalAuth should be updated to override User::IsPassword
and CurrentUserRequireToSetPassword.

https://rt.cpan.org/Ticket/Display.html?id=58378