summaryrefslogtreecommitdiffstats
path: root/web/lib/acctfuncs.inc.php
diff options
context:
space:
mode:
authorLukas Fleischer <lfleischer@archlinux.org>2020-01-30 12:39:52 +0100
committerLukas Fleischer <lfleischer@archlinux.org>2020-01-30 13:25:15 +0100
commit7aa420d24da7e8c2c214ab421d44b4684d42e73e (patch)
tree823e389e881d53883e125dda4f9fe2e111d16e1d /web/lib/acctfuncs.inc.php
parentf090896fa1e9570715cfcdec7b23ecf95d25e936 (diff)
downloadaur-7aa420d24da7e8c2c214ab421d44b4684d42e73e.tar.gz
aur-7aa420d24da7e8c2c214ab421d44b4684d42e73e.tar.xz
Verify current password against logged in user
When changing the password of an account, instead of asking for the old password of the account, ask for the password of the currently logged in user. This allows privileged users to edit other accounts without knowing their passwords. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Diffstat (limited to 'web/lib/acctfuncs.inc.php')
-rw-r--r--web/lib/acctfuncs.inc.php9
1 files changed, 4 insertions, 5 deletions
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index 601d4ce0..d2144c2a 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -134,10 +134,9 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P="
$dbh = DB::connect();
if(isset($_COOKIE['AURSID'])) {
- $editor_user = uid_from_sid($_COOKIE['AURSID']);
- }
- else {
- $editor_user = null;
+ $uid_session = uid_from_sid($_COOKIE['AURSID']);
+ } else {
+ $uid_session = null;
}
if (empty($E) || empty($U)) {
@@ -169,7 +168,7 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P="
if (!$error && $P && $P != $C) {
$error = __("Password fields do not match.");
}
- if (!$error && $P && check_passwd($UID, $PO) != 1) {
+ if (!$error && $P && check_passwd($uid_session, $PO) != 1) {
$error = __("The old password is invalid.");
}
if (!$error && $P != '' && !good_passwd($P)) {