yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1237989] Re: user can update his password without knowing the old password

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1237989@xxxxxxxxxxxxxxxxxx>
Date: Mon, 14 Oct 2013 22:19:06 -0000
Reply-to: Bug 1237989 <1237989@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/50966
Committed: http://github.com/openstack/keystone/commit/3866991918beb818aa26aeab287a247f4732f6e7
Submitter: Jenkins
Branch:    milestone-proposed

commit 3866991918beb818aa26aeab287a247f4732f6e7
Author: Dolph Mathews <dolph.mathews@xxxxxxxxx>
Date:   Thu Oct 10 10:36:00 2013 -0500

    set user_update policy to admin_required
    
    This changes the default policy.json to prevent users from changing
    their own attributes such as password, name, or default_project_id.
    
    Closes-Bug: 1237989
    Change-Id: I7de5fff3d72a76b78113e289c57a9fac2096395f


** Changed in: keystone
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1237989

Title:
  user can update his password without knowing the old password

Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in OpenStack Identity (Keystone):
  Fix Released
Status in OpenStack Security Advisories:
  Incomplete

Bug description:
  a user logged into horizon can change his password without needing to
  type in the correct old password. It's just required to type in
  anything as the old password.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1237989/+subscriptions