Skip to content

Improvements to security flows#3646

Merged
dcramer merged 1 commit into
masterfrom
security-improvements
Jul 6, 2016
Merged

Improvements to security flows#3646
dcramer merged 1 commit into
masterfrom
security-improvements

Conversation

@dcramer

@dcramer dcramer commented Jul 5, 2016
edited
Loading

Copy link
Copy Markdown
Member
  • Move mfa to Security settings under account
  • Require password confirmation on email change
  • Improve managed user flows
  • Remove feature flag for mfa

/cc @getsentry/infrastructure @getsentry/security

This change is Reviewable

@dcramer

dcramer commented Jul 5, 2016

Copy link
Copy Markdown
Member Author

Mostly a followup with more iteration since just requiring password on password change isnt enough to prevent account hijack.

@dcramer dcramer force-pushed the security-improvements branch from bf85ee8 to 2f56f5e Compare July 6, 2016 18:02
mitsuhiko
mitsuhiko reviewed Jul 6, 2016
View reviewed changes
Comment thread src/sentry/web/forms/accounts.py Outdated

@mitsuhiko mitsuhiko Jul 6, 2016

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should this not be outdented?

@dcramer dcramer force-pushed the security-improvements branch from 2f56f5e to d212000 Compare July 6, 2016 18:21
mitsuhiko
mitsuhiko reviewed Jul 6, 2016
View reviewed changes
Comment thread src/sentry/web/forms/accounts.py Outdated

@mitsuhiko mitsuhiko Jul 6, 2016

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

actually now that it's outdented i wonder why needs_password is not true by default.

@dcramer dcramer Jul 6, 2016

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We only need to verify your current email if you can change your password or email address. If the email field is managed, we dont need to verify password.

@dcramer
Improvements to security flows
1cdd20c 
- Move mfa to Security settings under account
- Require password confirmation on email change
- Improve managed user flows
- Remove feature flag for mfa
- Remove sudo on various account settings

/cc @getsentry/infrastructure @getsentry/security
@dcramer dcramer force-pushed the security-improvements branch from d212000 to 1cdd20c Compare July 6, 2016 18:29
@dcramer dcramer merged commit 5f46f6a into master Jul 6, 2016
@dcramer dcramer deleted the security-improvements branch July 6, 2016 18:53
@github-actions github-actions Bot locked and limited conversation to collaborators Dec 23, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dcramer @mitsuhiko