Problem
Spin-off from #2405943: User entity validation misses form validation logic:
When you edit your user account, you have to provide the existing password when you want to change the password or e-mail. This security feature, is currently by-passed by REST user updates as you can change the password or e-mail without providing the password.
The current validation logic lives in user_validate_current_pass().
Given that means there are security implications when you enable REST for user account updates, I think this is critical.
Proposed resolution
-
Remaining tasks
Find solution.