[openstreetmap/openstreetmap-website] Require current password before accepting a new password (#2144)

mmd notifications at github.com
Sat Feb 16 16:44:22 UTC 2019


Some sites ask a user to go through a "forget password" first in case they previously signed up using a third party auth provider and lack a dedicated password for the site.

That forget password function would then send an email to the user, asking them to set a new password. All other changes in the settings dialog should always ask for that current password, irrespective of the login method in use (third party social or password). The good thing is that we already have a forget password function, and it would probably solve a lot of hassle with any kind of third party providers - the logon mechanism simply becomes irrelevant when it comes to changing your settings.

Example from coverity.com:

![password_forget](https://user-images.githubusercontent.com/5842757/52902456-3f56d980-3211-11e9-8e57-95d1b8072ea3.png)

Re changing the password: I wonder if it would sense to de-authenticate all OAuth clients as well, as they would otherwise still have access in the user's name. Maybe some kind of recommendation text to manually remove OAuth clients would be a good first step, though.



-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/2144#issuecomment-464361629
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20190216/eb5450ea/attachment.html>


More information about the rails-dev mailing list