This is the one where you have to type your current password before you can create a new password. I need this feature and I am almost done implementing it, there are some edge conditions left to deal with though, like in the user engine, not allowing the admin to change anyones password without confirming the admin password (same reasons if the admin leaves the page logged in). I guess that could be said of a lot of other admin funtions too, but it is a start. If no one else is working on it I'll post a patch when I'm done.
on 2006-03-29 11:48
on 2006-03-29 11:51
Please do work on it - patches are greatly appreciated. - james On 3/29/06, Jim Morris <email@example.com> wrote: > If no one else is working on it I'll post a patch when I'm done. > > -- > Posted via http://www.ruby-forum.com/. > _______________________________________________ > engine-developers mailing list > firstname.lastname@example.org > http://lists.rails-engines.org/listinfo.cgi/engine... > -- * J * ~
on 2006-03-30 02:19
James Adam wrote: > Please do work on it - patches are greatly appreciated. > > - james > > On 3/29/06, Jim Morris <email@example.com> wrote: >> If no one else is working on it I'll post a patch when I'm done. >> >> -- >> Posted via http://www.ruby-forum.com/. >> _______________________________________________ >> engine-developers mailing list >> firstname.lastname@example.org >> http://lists.rails-engines.org/listinfo.cgi/engine... >> > > > -- > * J * > ~ Ok I attached two patches to ticket #70. I have tested it with User Engine, but I cannot run a full regression test as I can't get any of the tests to run and pass (even without any patches!) Basically it adds a password field in the _password.rhtml partial if the request came from a user changing their own password, and adds the logic to the controller to check that the existing password is correct if one existed in the first place. This also works well with userengine, and allows the admin to change another persons password without the need to type in the existing password. I also added some error testing in the controllers which were ignoring return errors. However this opens up another security question as to whether the admin should be prompted for their password before allowing any changes like this. I think it could be made an optional configuration, I'll look into that next.