Password change does not ask for current password

[swierckx]

Describe the bug
When a user changes his/her password the application does not request the current password to validate the user. It is a security best practice to re-validate the authentication when performing sensitive operations such as a password change.

Steps To Reproduce
Steps to reproduce the behavior:

1. Go to your profile
2. Enter the same, new password twice
3. Save
4. The current password is not requested

Expected behavior
Add a text box to enter the current password for all sensitive actions.

Your Configuration (please complete the following information):

• Exact BookStack Version (Found in settings): v0.26.1
• PHP Version: 7.2
• Hosting Method (Nginx/Apache/Docker): Apache

[ssddanbrown]

Thanks for the suggestion @swierckx, That's a good idea. Will have to support the case of an admin-style user changing the password on behalf of anther user, I'd imagine the admin would confirm their own password but need to take care with the UX to ensure it's not confusing in regards to what password is being requested.

[Cave-Johnson]

Perhaps the best method would be to confirm the admins password before access is granted to the settings area entirely and then only show the new password and confirm password boxes for the admin user.

For a standard user have a box above the new password and confirm password boxes asking for the users current password.

It would also be really neat to have bookstack generate a random password as a suggestion.