Bugzilla – Bug 11998
User should not have to re-enter password to change account settings
Last modified: 2009-10-05 16:43:02 UTC
In the current squeezenetwork accounts area, the user is required to enter their current password in order to change any of the settings - name, email, password, country, language, and time zone. The only settings that have any real security implications if they are changed are email address and password (if maliciously changed, these would prevent you from logging in to your account). I would even go so far to say that even these settings should be changable without entering in your previous password, as long as we send an email notice of the change to the original email address (that contains whatever information was changed - i.e. new email, new password etc).
I've always hated this... should we target this for the new skin?
Part of the flow for this is shown on "account settings" page in the new wireframes: http://wiki.slimdevices.com/index.php/Mysqueezeboxdotcom. By default, just show a "change password" link. If the user clicks it, the form fields slide down to show fields for "enter current password," "enter new password" and "verify new password." If user clicks submit with blank form fields, ignore these fields. Otherwise, verify old and current password or show appropriate errors...
change 6386 - only require password if user wants to change it
This bug has been fixed in the latest release of MySqueezebox.com (formally known as SqueezeNetwork)! If you are still experiencing this problem, feel free to reopen the bug with your new comments and we'll have another look.