You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@fineract.apache.org by "Michael Vorburger (Jira)" <ji...@apache.org> on 2019/12/12 08:12:00 UTC
[jira] [Commented] (FINERACT-516) Add current password field to
prevent unauthorized users from changing password of the current user #2428
[ https://issues.apache.org/jira/browse/FINERACT-516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16994359#comment-16994359 ]
Michael Vorburger commented on FINERACT-516:
--------------------------------------------
From what I understand of https://github.com/openMF/community-app/issues/2428 and from a quick review of the above PR, I think what we would want to do here is to SEND the user's proposed current password in an additional field of the REQUEST to send a user's password, so that the back-end code can double check it? We would however NEVER want to RETURN the user's current password from the back-end to any front-ends in any API RESPONSE, agreed? But the propose PR (#639), from what little I understand, seems to propose to add currentPassword to RESPONSE_DATA_PARAMETERS in UsersApiResource.java - is that right?
It would also be good to have an integration test covering for this in that PR.
> Add current password field to prevent unauthorized users from changing password of the current user #2428
> ---------------------------------------------------------------------------------------------------------
>
> Key: FINERACT-516
> URL: https://issues.apache.org/jira/browse/FINERACT-516
> Project: Apache Fineract
> Issue Type: Improvement
> Components: User Management
> Reporter: Santosh Math
> Assignee: Markus Geiss
> Priority: Major
> Labels: gsoc, p2
> Attachments: 29419719-81d3d36a-8378-11e7-9ad4-20074c6627cd.png
>
>
> Reported by Nenge1
> Link,
> Mifos dropdown->profile>change password (check the screenshot)
> Allowing user to enter only new password increase vulnerability because the username is visible.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)