[trendoman]

I searched and this appears to be an untouch issue.

2017-09-01-010736.png (32.18 KiB) Viewed 1264 times

This html form is being converted to CouchCMS, so it comes to do the 'old password' check.
Should I employ some php to do it? Like following form auth.php

Code: Select all

$check = $this->hasher->CheckPassword( $pwd, $user->password );

Or maybe it's best to completely ditch the old password field? I feel like it's okay to confirm that logged in user is indeed the one who wishes to establish a new password.

[KK]

There is nothing natively available in Couch at the moment that would do this check.
However, as you mentioned, it should be fairly straightforward for you to code a new 'filter' for it (don't forget to share it )

As for whether or not you should have this check, that is entirely the client's call.
I suppose they are trying to cover the case where the legitimate user walks away from her desktop while being logged-in and someone walking by changes the password in the mean while. Certainly not impossible but not sure about how probable.

[trendoman]

Thanks, I figured this out with the help of some old sample by @tim.