diff options
author | Lukas Fleischer <lfleischer@archlinux.org> | 2020-01-30 12:39:52 +0100 |
---|---|---|
committer | Lukas Fleischer <lfleischer@archlinux.org> | 2020-01-30 13:25:15 +0100 |
commit | 7aa420d24da7e8c2c214ab421d44b4684d42e73e (patch) | |
tree | 823e389e881d53883e125dda4f9fe2e111d16e1d | |
parent | f090896fa1e9570715cfcdec7b23ecf95d25e936 (diff) | |
download | aur-7aa420d24da7e8c2c214ab421d44b4684d42e73e.tar.gz aur-7aa420d24da7e8c2c214ab421d44b4684d42e73e.tar.xz |
Verify current password against logged in user
When changing the password of an account, instead of asking for the old
password of the account, ask for the password of the currently logged in
user. This allows privileged users to edit other accounts without
knowing their passwords.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
-rw-r--r-- | web/lib/acctfuncs.inc.php | 9 | ||||
-rw-r--r-- | web/template/account_edit_form.php | 4 |
2 files changed, 6 insertions, 7 deletions
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 601d4ce0..d2144c2a 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -134,10 +134,9 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P=" $dbh = DB::connect(); if(isset($_COOKIE['AURSID'])) { - $editor_user = uid_from_sid($_COOKIE['AURSID']); - } - else { - $editor_user = null; + $uid_session = uid_from_sid($_COOKIE['AURSID']); + } else { + $uid_session = null; } if (empty($E) || empty($U)) { @@ -169,7 +168,7 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P=" if (!$error && $P && $P != $C) { $error = __("Password fields do not match."); } - if (!$error && $P && check_passwd($UID, $PO) != 1) { + if (!$error && $P && check_passwd($uid_session, $PO) != 1) { $error = __("The old password is invalid."); } if (!$error && $P != '' && !good_passwd($P)) { diff --git a/web/template/account_edit_form.php b/web/template/account_edit_form.php index 25e91853..7bd233a8 100644 --- a/web/template/account_edit_form.php +++ b/web/template/account_edit_form.php @@ -140,9 +140,9 @@ <?php if ($A == "UpdateAccount"): ?> <fieldset> - <legend><?= __("If you want to change your password, enter your current passport, your new password and confirm the new password by entering it again.") ?></legend> + <legend><?= __("If you want to change the password, enter your current passport, the new password and confirm the new password by entering it again.") ?></legend> <p> - <label for="id_passwd_old"><?= __("Old password") ?>:</label> + <label for="id_passwd_old"><?= __("Your current password") ?>:</label> <input type="password" size="30" name="PO" id="id_passwd_old" value="<?= $PO ?>" /> </p> |