Users can change the passwords of other users

[simondate]

It seems that when you create additional accounts on the latest version of the Authoring Tool they get shown the email address, first name and last name of another account. They can also change the password of this user!

Steps to Reproduce

1. Admin account creates a new account
2. Log into the new account
3. Click on logged in as: [new account] to change the password
4. The user is shown the details of another admin account.
5. Change the password of the other admin account
6. The admin account cannot log in with their own password, but they can use this new password

Versions

• Authoring Tool Version: 0.10.4
• Framework Version: 5.7.1

[deltanetdan]

I can reproduce this issue. Reversing this PR seems to fix the problem.

[moloko]

nice find @simondate

[moloko]

Looks like it gives you the account details of whoever created the account. Currently having lots of fun changing @guywillis password to random things ;-)

EDIT: I don't think it actually changes that person's password. or your own. no idea what it is doing but is definitely quite broken!