Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Add permission check for admins updating user passwords #3394
For security purposes administrators should not be able to set a
In order to maintain backwards compatibility, and leave more power in
For security purposes administrators should not be able to set a users password. Only the accounts owner should be able to directly set their password. administrators should only have the ability to send a password reset email to the account owner. Otherwise someone working in customer service or another role could take over a users account in order to make illegal purchases with their stored credit card information. In order to maintain backwards compatibility, and leave more power in control of the store owner this will leave the current admin role behavior the same, but anyone creating custom roles will no longer be able to update passwords unless they explicitly add a change password permission.