Integrate with Password Change module

+1

I've attached password change screenshots from a couple popular services. They all implement this behavior.

subscribe

+1 and increasing the priority since this may be considered as security problem.

Any reasons why this has not been considered for the final 1.0 release?

This is implemented by the Password change confirm module (a back port of D7 functionality).

The module you have mentioned does not support the "Password change tab" sub module of this module. And it does NOT require the current password to change it, it just asks for the new password twice instead of once.

Password Policy is a backend module used to enforce password restrictions and manage forced expirations. There is nothing inherently UI-driven about this module.

Are you suggesting that we re-implement the functionality of the Password change confirm module inside Password Policy. It seems to me that this should be a patch to _that_ module to support an additional form ID. Modifying this module to add that field would be a substantially new feature (essentially absorbing this other module) or create a specific dependency on that module. Either way it doesn't seem like a reasonable fit.

I'd be glad to discuss this more, but I don't see this fitting in. You say Password Policy is "all about security", but that's an overgeneralized explanation and makes it sound like Password Policy should fill all security requirements around passwords. That's simply not the case.

I'm sorry, it totally skipped my mind that the normal password box requires the current password (I'm too accustomed to being an admin user). You're right.

Should be easy to patch - care to give it a shot?

Patch #12 works for non-admin users. However, admins (users having the permission "administer users") will NOT have to give their current password.

IMO, every user should have this requirement - regardless of her permissions. When you are logged in as admin, leave your computer while still being logged in, someone else could change the admin's password without knowing the current one. No good security.

After looking at the Password Change module, there are other edge cases that we would have to deal with here as well. By the time we implement all of those, this module would fully contain Password Change. Instead I've added direct integration between the 2 modules.

Please, can you make the Integrate with the Password change confirm module a separate issue? I cannot use that module due to that critical bug: #1215314: New users being asked to confirm password.

So it would still be useful to have the current password required by this (password_policy_password_tab) module, like the patch above, but not depending on permissions. You could check if the password_change module is enabled and only require the current password if it isn't enabled.

The major difference is my patch does not take into account one-time login links. This is a decent amount of code already provided by Password Change. It appears the patch to fix the Password Change Confirm module would be more trivial than making this module do the other checks provided by that module.

If we can fix their critical bug, can we leave this as an integration rather than duplication?

Agreed :-) Just tested your latest patch (#14), together with the "Password change confirm" module 6.x-1.1 and it works fine!

Just one minor issue after applying the patch (compare both attached screenshots): the word "account" now appears above the first new password field of the Password tab.

Sorry about that, lazy programming.

Thanks, #18 works perfectly for me!

What about the one failed test by the bot?

#18: password_policy-password_change_integration-491158-18.patch queued for re-testing.

It was a poorly written test. I've updated the tests so that they pass.

Fixed and committed.

http://drupalcode.org/project/password_policy.git/commit/74991de

Great, thanks!