Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-70177

Require re-authentication when users make changes to sensitive profile information or account settings

XMLWordPrintable

    • MOODLE_311_STABLE

      Currently we require re-entering of the existing password before changing it, but in line with OWASP recommendations, any other sensitive user information updates should also require re-authentication.

      An obvious case where this should be implemented (but isn't currently) is user email address changes.  We should investigate whether any other fields are relevant, though I think as a minimum this should be implemented for email address.

      This should also be the case for account deletion requests.

            Unassigned Unassigned
            michaelh Michael Hawkins
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.