I was working as a web developer on this site.. and I came across this piece of code:
class userCP extends Controller {
function index() {
$this->load->library("auth");
$this->load->library("infocache");
....snip....
}
.......snip......
function changePassword() {
$user_id = $this->auth->u_id;
$this->auth->forgot($user_id);
$this->load->view('notify', 'Please check your email for instructions on how
to change your password');
}
.......snip......
}
What it actually do was allow the user to change their password. While other applications just ask you for your old password and then the new password.. this web app, used the same code as for the 'Forgot Password' option i.e. it sends you an email with a link that resets your password so that you can change it.
When i asked my supervisor about this, he said, "The previous developer said that this step requires the user to validate his email account which is a good security measure". and i was totally like.. wtf??