Anyone working on ticket #70? adding password confirmation


#1

This is the one where you have to type your current password before you
can create a new password.

I need this feature and I am almost done implementing it, there are some
edge conditions left to deal with though, like in the user engine, not
allowing the admin to change anyones password without confirming the
admin password (same reasons if the admin leaves the page logged in). I
guess that could be said of a lot of other admin funtions too, but it is
a start.

If no one else is working on it I’ll post a patch when I’m done.


#2

Please do work on it - patches are greatly appreciated.

  • james

On 3/29/06, Jim M. removed_email_address@domain.invalid wrote:

If no one else is working on it I’ll post a patch when I’m done.


Posted via http://www.ruby-forum.com/.


engine-developers mailing list
removed_email_address@domain.invalid
http://lists.rails-engines.org/listinfo.cgi/engine-developers-rails-engines.org

  • J *
    ~

#3

James A. wrote:

Please do work on it - patches are greatly appreciated.

  • james

On 3/29/06, Jim M. removed_email_address@domain.invalid wrote:

If no one else is working on it I’ll post a patch when I’m done.


Posted via http://www.ruby-forum.com/.


engine-developers mailing list
removed_email_address@domain.invalid
http://lists.rails-engines.org/listinfo.cgi/engine-developers-rails-engines.org

  • J *
    ~

Ok I attached two patches to ticket #70. I have tested it with User
Engine, but I cannot run a full regression test as I can’t get any of
the tests to run and pass (even without any patches!)

Basically it adds a password field in the _password.rhtml partial if the
request came from a user changing their own password, and adds the logic
to the controller to check that the existing password is correct if one
existed in the first place. This also works well with userengine, and
allows the admin to change another persons password without the need to
type in the existing password. I also added some error testing in the
controllers which were ignoring return errors.

However this opens up another security question as to whether the admin
should be prompted for their password before allowing any changes like
this. I think it could be made an optional configuration, I’ll look into
that next.