The account settings page allows to change the user's password without entering the old password. This could be used by a malicious person to hijack another's account by changing his/her password, either by direct access to the computer used to access the site (while the user is still logged-in), or after hijacking the session id.

We should probably require the user to enter his/her old password before entering a new one.

Comments

magico’s picture

Version: 4.6.4 » x.y.z
Component: base system » user.module
rvk’s picture

I would like to add that it would be nice if it entering the current password would also be required to change the e-mail address (and perhaps other profile info as well?). Since otherwise a malicious person would still be able to render someones account useless

Wolfflow’s picture

Assigned: Unassigned » Wolfflow

would like to add to User management setting a box wich will automatically give to a TEST-User account made by Administrator few basically default functionality and in the same time lock password changing and email change. This will be usefull for Drupal Testing installation around all Drupal Site registered with Drupal-Server acces verification. Even all Drupal Community will get advantages and spread testing environments all around. Maybe this can also be helpfull for debugging purposes.

Wolfflow’s picture

Version: x.y.z » 5.0
Status: Active » Closed (fixed)

There are know a lot of contributed Modules that can figure out exactly what described above.
some:

  1. Apply for Role
  2. Registration Role
  3. etc ....