This prevents an attacker from (possibly) being able to change another
user’s password using an Admin’s cookie/session.
so this attacker cannot change the user password, but can do everything
Similarly, for a normal user, it prevents the user’s password from
being changed without typing their current password.
for a “normal user”, why not, it’s a common practice.
Also, there seems to be a side effect with RT::Authen::ExternalAuth. If
it’s configured with both external and internal users, it is impossible
for an external user with appropriate right to set a password for an
There is code that certainly tries to handle this, and uses IsPassword
which RT-Authen-ExternalAuth overrides. The original code for this
feature was rototilled specifically to think about external auth
I saw this
If you can track down more of what is going on, it is probably
something that requires RT-Authen-ExternalAuth patching rather than
Sure, I will try to track this next week. Once the problem will be
identified I will open a bug in the right bug report