682082 - Add password requirement to privileged accounts

Status: RESOLVED FIXED

(addons.mozilla.org Graveyard :: Admin/Editor Tools, defect, P3)

Description

[Wil Clouser [:clouserw]]

Browserid is rockin', but we still want to require privileged users to authenticate to AMO with a password.  If you need UI help, let us know.  Greg recently wrote a lightbox login which will also be affected here.

Privileged users here include:  Admin:*, Editors:*

Comment 1

[David Chan [:dchan]]

Sorry, I haven't been following the latest developments with AMO and browserid. 

How does the use of browserid change the interaction of admins/editors with the privileged sections of AMO? Does logging in with browserid currently allow the same privileges as going through the standard AMO login? 

I'm guessing that since browserid uses different credentials, requiring AMO password is to prevent abuse of a logged in browserid session.

Comment 2

[Wil Clouser [:clouserw]]

browserid is going to be equivalent to our current authentication.

We're adding password auth for privileged accounts as a secondary auth.  This was talked about with mcoates and yboily via email a bit.

Comment 3

[Sid Stamm [:geekboy or :sstamm]]

(In reply to David Chan [:dchan] from comment #1)
> How does the use of browserid change the interaction of admins/editors with
> the privileged sections of AMO? Does logging in with browserid currently
> allow the same privileges as going through the standard AMO login? 

This is just another layer of defense for accounts with lots of privilege since browserid is a baby and still "experimental".

Comment 4

[Allen Short [:ashort]]

https://github.com/jbalogh/zamboni/commit/0eb323be7e927541406d2bfa29129fa628739373