diff options
| author | Lukas Fleischer <lfleischer@archlinux.org> | 2020-01-30 12:39:52 +0100 |
|---|---|---|
| committer | Lukas Fleischer <lfleischer@archlinux.org> | 2020-01-30 13:25:15 +0100 |
| commit | 7aa420d24da7e8c2c214ab421d44b4684d42e73e (patch) | |
| tree | 823e389e881d53883e125dda4f9fe2e111d16e1d /web/lib | |
| parent | f090896fa1e9570715cfcdec7b23ecf95d25e936 (diff) | |
| download | aur-7aa420d24da7e8c2c214ab421d44b4684d42e73e.tar.gz aur-7aa420d24da7e8c2c214ab421d44b4684d42e73e.tar.xz | |
Verify current password against logged in user
When changing the password of an account, instead of asking for the old
password of the account, ask for the password of the currently logged in
user. This allows privileged users to edit other accounts without
knowing their passwords.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Diffstat (limited to 'web/lib')
| -rw-r--r-- | web/lib/acctfuncs.inc.php | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 601d4ce0..d2144c2a 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -134,10 +134,9 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P=" $dbh = DB::connect(); if(isset($_COOKIE['AURSID'])) { - $editor_user = uid_from_sid($_COOKIE['AURSID']); - } - else { - $editor_user = null; + $uid_session = uid_from_sid($_COOKIE['AURSID']); + } else { + $uid_session = null; } if (empty($E) || empty($U)) { @@ -169,7 +168,7 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P=" if (!$error && $P && $P != $C) { $error = __("Password fields do not match."); } - if (!$error && $P && check_passwd($UID, $PO) != 1) { + if (!$error && $P && check_passwd($uid_session, $PO) != 1) { $error = __("The old password is invalid."); } if (!$error && $P != '' && !good_passwd($P)) { |