Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By footpad on
Greetings,
I have just started exploring Drupal and noticed something in the account settings page.
Specifically, I noticed that you do not ask for the current password before letting the user change their current one. Isn't this a minor security weakness, e.g. you could step away from your keyboard for a moment, only to discover that your co-worker has played a prank on you by changing your password.
(OK, OK. It's a contrived example, but I hope you follow the idea.)
Thanks in advance...
-- f
