[sork] passwd-2.2 lock username?

Eric Rostetter eric.rostetter at physics.utexas.edu
Thu Jun 5 09:36:36 PDT 2003


Quoting Iain Pople <iain at webcentre.unimelb.edu.au>:

> The problem with a hidden field is that from a security point of view,
> someone could still try and change the password for a different user.

Yes, but they would need to know the password to that account.  If they
already know the username and password, they can change the account in
any number of ways....

> Would it be possible to include a check that ensures that the username
> they are trying to change matches up with the username they are logged
> in as?

Sure.  Just edit the driver (passwd/lib/Driver/*.php) you use to perform
what ever checks you want.

But it would be easier to change the main program to just use the login
username rather than any form data, then you wouldn't need any checks...

Or, if you are really paranoid, do both (change the main program, and add
checks).

> cheers, Iain.

--
Eric Rostetter
The Department of Physics
The University of Texas at Austin

Why get even? Get odd!


More information about the sork mailing list