-
Improvement
-
Resolution: Unresolved
-
Minor
-
None
-
3.11
-
MOODLE_311_STABLE
Currently we require re-entering of the existing password before changing it, but in line with OWASP recommendations, any other sensitive user information updates should also require re-authentication.
An obvious case where this should be implemented (but isn't currently) is user email address changes. We should investigate whether any other fields are relevant, though I think as a minimum this should be implemented for email address.
This should also be the case for account deletion requests.
- has to be finished together with
-
MDL-66172 Add require_recent_login() for higher security pages
- Development in progress