Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-70177

Require re-authentication when users make changes to sensitive profile information or account settings

    XMLWordPrintable

    Details

    • Affected Branches:
      MOODLE_311_STABLE

      Description

      Currently we require re-entering of the existing password before changing it, but in line with OWASP recommendations, any other sensitive user information updates should also require re-authentication.

      An obvious case where this should be implemented (but isn't currently) is user email address changes.  We should investigate whether any other fields are relevant, though I think as a minimum this should be implemented for email address.

      This should also be the case for account deletion requests.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              michaelh Michael Hawkins
              Participants:
              Component watchers:
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Sujith Haridasan
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated: