Remove password and password_confirmation from whitelisted params in ProfilesController to prevent password from being changed without previous password being provided

author: Tiago Botelho <tiagonbotelho@hotmail.com> 2018-05-04 19:24:55 +0200
committer: Tiago Botelho <tiagonbotelho@hotmail.com> 2018-05-07 10:29:00 +0200
commit: 8417f74f23a75020a14f39d939c4dd1cc5419d07 (patch)
tree: 8cbda28b16372ae6baa145078110fbcca3a2238c /changelogs
parent: 7603beffc916d06039cac63b223d8e6234b5d666 (diff)
download: gitlab-ce-8417f74f23a75020a14f39d939c4dd1cc5419d07.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/changelogs/unreleased/security-users-can-update-their-password-without-entering-current-password.yml b/changelogs/unreleased/security-users-can-update-their-password-without-entering-current-password.yml
new file mode 100644
index 00000000000..824fbd41ab8
--- /dev/null
+++ b/changelogs/unreleased/security-users-can-update-their-password-without-entering-current-password.yml
@@ -0,0 +1,5 @@
+---
+title: Prevent user passwords from being changed without providing the previous password
+merge_request:
+author:
+type: security
author	Tiago Botelho <tiagonbotelho@hotmail.com>	2018-05-04 19:24:55 +0200
committer	Tiago Botelho <tiagonbotelho@hotmail.com>	2018-05-07 10:29:00 +0200
commit	8417f74f23a75020a14f39d939c4dd1cc5419d07 (patch)
tree	8cbda28b16372ae6baa145078110fbcca3a2238c /changelogs
parent	7603beffc916d06039cac63b223d8e6234b5d666 (diff)
download	gitlab-ce-8417f74f23a75020a14f39d939c4dd1cc5419d07.tar.gz