Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
When changing password or email address, require to type old password #2932
If you leave Piwik open and logged in, anyone accessing the computer could change the email address or the password. Changing email address would allow to "reset" the password.
Therefore, as an extra security measure, we should require the old password to change the password or the email address.
When changing other settings inputting the password wouldn't be necessary.
Also, and this is important:
otherwise one attacker could easily write a XSS that calls the API to change password and bypass the "Enter your password" protection.