If you are using SSL on your site (which you should), then the <input type="password"> is sufficient, as the payload is encrypted in-transit.
UNSOLVED Disallow editing password, email, ...
The admin interface already allows to "disable username changes". Is there an existing way to disable changes for user passwords, email addresses or other user fields (e.g. fullname) as well? This would be incredibly useful with custom authentication plugins.
I would never block a user to change their password or email. These are things that, if the user ends up having them hijacked, they will want to be able to change easily on all sites they visit. Plus, there is a better chance you will get their most up to date email and most secure passwords on your website. It keeps them and you safe as well as in contact. I can't think of a single reason you'd lock those.
- 5 min way: just remove them from template
- +15 min way: also return 403 for edit routes (
In both cases you edit source files.
I just described one of the possible options, how you can solve your problem
@HolyPhoenix We're using our own Identity Management database that already allows changing user passwords or emails. That's why it can be counter productive enabling users to change their forum password or email. Other administrators using OAuth or similar SSO utilities would agree.
@Nicolas Thanks for your solution. I hoped for a more update-safe way like an override function, but it appears there is none, yet. I'll try designing my own theme.
I tried implementing the functionality in nodeBB and persona the same way it is implemented for
username:disableEdit. Apparently that doesn't work. The
Disable username changesswitch in den Admin panel doesn't do anything. Maybe this functionality is not feature complete, yet? @julian
@baris possibly a regression?