password.php - // only make admin enter current password

Hope it's alright to post this here... if not, correct me and I will go somewhere else :-)

This could be called a bug depending on how you want it to work. To me, all users should be required to enter their current password in order to change their password. Just good security, and that is how it is currently working.

However:

// only make the admin user enter current password for changing his own password.
if (!elgg_is_admin_logged_in() || elgg_is_admin_logged_in() && $user->guid == elgg_get_logged_in_user_guid())

implies only the admin is required to enter their current password due to the comment. elgg_is_admin_logged_in() returns false as expected when it is a regular member, so it equates to true in the left side of the OR statement. Thus even regular users are shown the current password field. It returns true on the right for an admin, so again the current password field is shown.

This whole "if statement" should just be removed, and the current password field shown for all users.

As a side note....
I found this because I was looking for away to either direct the settings page to use HTTPS (if enabled in the admin) or change the action in the form to use HTTPS (if enabled in the admin). Since the data being submitted are the user's credentials, it only makes sense to allow https if it is enabled in the admin. So if someone can point me in the direction on how to change that, it would be appreciated.  

  • The admin is not required to enter the other user's password to change it. Users that want to change their own password are required to enter their current password as a security precaution.

    Please open a ticket at our bug tracker for your side note. I agree that turning on https for login should also turn it on for changing settings.