Change "change password" process to make user retype current password
Is your feature request related to a problem? Please describe.
If a user has a session open, anyone can change their password without typing current password.
Describe the solution you'd like
In the change password request, either have the mandatory field 'current password' to avoid any identify theft
Describe alternatives you've considered
Change password via Mail link ?
Does this issue could impact on users private data?
Yes , if shared computers or opened sessions, their password can be changed.
No funding available
This proposal has been accepted because:
Bug fixed via https://github.com/decidim/decidim/pull/11737
List of Endorsements
Report inappropriate content
Is this content inappropriate?