User can reset password without current password

[liamnv]

A clear and concise description of what the bug is.

Expected results

User must provide current password to reset password

Actual results

User can reset password without of current password

Screenshots

If applicable, add screenshots to help explain your problem.

How to reproduce the bug

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Environment

(please complete the following information):

• superset version: superset version
• python version: python --version
• node.js version: node -v

Checklist

Make sure to follow these steps before submitting your issue - thank you!

• I have checked the superset logs for python stacktraces and included it here as text if there are any.
• I have reproduced the issue with at least the latest released version of superset.
• I have checked the issue tracker for the same issue and I haven't found one similar.

Additional context

Add any other context about the problem here.

[lamielle]

@liamnv can you provide a few more details on the bug you're reporting here? This could be a serious security issue. I'm relatively new to Superset but I think providing more information per the issue template would help the Superset team triage this bug.

[liamnv]

@lamielle I found this is an issue of Flask App Builder, I'm contributing for its here dpgaspar/Flask-AppBuilder#1553

[mistercrunch]

@dpgaspar ^^^

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. For admin, please label this issue .pinned to prevent stale bot from closing the issue.

[rusackas]

This is likely fixed by now, and is pretty out of date if not. If people are still encountering this in current versions (3.x) please open a new Issue or a PR to address the problem.