Password change does not ask for current password #1193

New Issue

OVERLORD · 2026-02-05T00:13:06+03:00

OVERLORD commented

2026-02-05 00:13:06 +03:00

Originally created by @swierckx on GitHub (May 22, 2019).

Describe the bug
When a user changes his/her password the application does not request the current password to validate the user. It is a security best practice to re-validate the authentication when performing sensitive operations such as a password change.

Steps To Reproduce
Steps to reproduce the behavior:

Go to your profile
Enter the same, new password twice
Save
The current password is not requested

Expected behavior
Add a text box to enter the current password for all sensitive actions.

Your Configuration (please complete the following information):

Exact BookStack Version (Found in settings): v0.26.1
PHP Version: 7.2
Hosting Method (Nginx/Apache/Docker): Apache

Originally created by @swierckx on GitHub (May 22, 2019). **Describe the bug** When a user changes his/her password the application does not request the current password to validate the user. It is a security best practice to re-validate the authentication when performing sensitive operations such as a password change. **Steps To Reproduce** Steps to reproduce the behavior: 1. Go to your profile 2. Enter the same, new password twice 3. Save 4. The current password is not requested **Expected behavior** Add a text box to enter the current password for all sensitive actions. **Your Configuration (please complete the following information):** - Exact BookStack Version (Found in settings): v0.26.1 - PHP Version: 7.2 - Hosting Method (Nginx/Apache/Docker): Apache

OVERLORD added the 🛠️ Enhancement 🔒 Security labels 2026-02-05 00:13:06 +03:00

OVERLORD commented

2026-02-05 00:13:13 +03:00

@ssddanbrown commented on GitHub (May 22, 2019):

Thanks for the suggestion @swierckx, That's a good idea. Will have to support the case of an admin-style user changing the password on behalf of anther user, I'd imagine the admin would confirm their own password but need to take care with the UX to ensure it's not confusing in regards to what password is being requested.

@ssddanbrown commented on GitHub (May 22, 2019): Thanks for the suggestion @swierckx, That's a good idea. Will have to support the case of an admin-style user changing the password on behalf of anther user, I'd imagine the admin would confirm their own password but need to take care with the UX to ensure it's not confusing in regards to what password is being requested.

OVERLORD commented

2026-02-05 00:13:16 +03:00

@Cave-Johnson commented on GitHub (Jan 23, 2020):

Perhaps the best method would be to confirm the admins password before access is granted to the settings area entirely and then only show the new password and confirm password boxes for the admin user.

For a standard user have a box above the new password and confirm password boxes asking for the users current password.

It would also be really neat to have bookstack generate a random password as a suggestion.

@Cave-Johnson commented on GitHub (Jan 23, 2020): Perhaps the best method would be to confirm the admins password before access is granted to the settings area entirely and then only show the new password and confirm password boxes for the admin user. For a standard user have a box above the new password and confirm password boxes asking for the users current password. It would also be really neat to have bookstack generate a random password as a suggestion.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#1193