diff options
author | Lukas Fleischer <lfleischer@archlinux.org> | 2020-01-30 14:00:07 +0100 |
---|---|---|
committer | Lukas Fleischer <lfleischer@archlinux.org> | 2020-01-30 14:05:24 +0100 |
commit | def2787b45275de2b8dfab0ece87f35ea280567b (patch) | |
tree | fd04ae7c32892203e3712245a11225c99a2f9365 /web/lib/acctfuncs.inc.php | |
parent | 8fc8898fef39af20a24c9928464fd8420481d819 (diff) | |
download | aur-def2787b45275de2b8dfab0ece87f35ea280567b.tar.gz aur-def2787b45275de2b8dfab0ece87f35ea280567b.tar.xz |
Require password when changing account information
Since commits daee20c (Require current password when setting a new one,
2020-01-30) and 8fc8898 (Require password when deleting an account,
2020-01-30), changing a password and deleting an account require the
current password. Extend this to all other profile changes.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Diffstat (limited to 'web/lib/acctfuncs.inc.php')
-rw-r--r-- | web/lib/acctfuncs.inc.php | 19 |
1 files changed, 7 insertions, 12 deletions
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index d2144c2a..345d27af 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -96,7 +96,6 @@ function display_account_form($A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",$R="" * @param string $S Whether or not the account is suspended * @param string $E The e-mail address for the user * @param string $H Whether or not the e-mail address should be hidden - * @param string $PO The old password of the user * @param string $P The password for the user * @param string $C The confirmed password for the user * @param string $R The real name of the user @@ -112,13 +111,14 @@ function display_account_form($A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",$R="" * @param string $ON Whether to notify of ownership changes * @param string $UID The user ID of the modified account * @param string $N The username as present in the database + * @param string $passwd The password of the logged in user. * @param string $captcha_salt The salt used for the CAPTCHA. * @param string $captcha The CAPTCHA answer. * * @return array Boolean indicating success and message to be printed */ -function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P="",$C="", - $R="",$L="",$TZ="",$HP="",$I="",$K="",$PK="",$J="",$CN="",$UN="",$ON="",$UID=0,$N="",$captcha_salt="",$captcha="") { +function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C="", + $R="",$L="",$TZ="",$HP="",$I="",$K="",$PK="",$J="",$CN="",$UN="",$ON="",$UID=0,$N="",$passwd="",$captcha_salt="",$captcha="") { global $SUPPORTED_LANGS; $error = ''; @@ -133,10 +133,11 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P=" $dbh = DB::connect(); - if(isset($_COOKIE['AURSID'])) { + if (isset($_COOKIE['AURSID'])) { $uid_session = uid_from_sid($_COOKIE['AURSID']); - } else { - $uid_session = null; + if (!$error && check_passwd($uid_session, $passwd) != 1) { + $error = __("Invalid password."); + } } if (empty($E) || empty($U)) { @@ -162,15 +163,9 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P=" if (!$error && $P && !$C) { $error = __("Please confirm your new password."); } - if (!$error && $P && !$PO) { - $error = __("Please enter your old password in order to set a new one."); - } if (!$error && $P && $P != $C) { $error = __("Password fields do not match."); } - if (!$error && $P && check_passwd($uid_session, $PO) != 1) { - $error = __("The old password is invalid."); - } if (!$error && $P != '' && !good_passwd($P)) { $length_min = config_get_int('options', 'passwd_min_len'); $error = __("Your password must be at least %s characters.", |