Require password when deleting an account

Further reduce the attack surface in case of a stolen session ID. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
author: Lukas Fleischer <lfleischer@archlinux.org> 2020-01-30 11:52:32 +0100
committer: Lukas Fleischer <lfleischer@archlinux.org> 2020-01-30 13:25:15 +0100
commit: 8fc8898fef39af20a24c9928464fd8420481d819 (patch)
tree: 34cf8f9eeeb9b642e074d2a5b1186ecbf6b8b3a1 /web/template/account_delete.php
parent: 7aa420d24da7e8c2c214ab421d44b4684d42e73e (diff)
download: aur-8fc8898fef39af20a24c9928464fd8420481d819.tar.gz
aur-8fc8898fef39af20a24c9928464fd8420481d819.tar.xz
1 files changed, 9 insertions, 2 deletions
diff --git a/web/template/account_delete.php b/web/template/account_delete.php
index 718b172f..d0c6e74d 100644
--- a/web/template/account_delete.php
+++ b/web/template/account_delete.php
@@ -12,8 +12,15 @@
 		<input type="hidden" name="token" value="<?= htmlspecialchars($_COOKIE['AURSID']) ?>" />
 	</fieldset>
 	<fieldset>
-		<p><label class="confirmation"><input type="checkbox" name="confirm" value="1" />
-		<?= __("Confirm deletion") ?></label></p>
+		<p>
+			<label for="id_passwd"><?= __("Password") ?>:</label>
+			<input type="password" size="30" name="passwd" id="id_passwd" value="" />
+		</p>
+
+		<p>
+			<label class="confirmation"><input type="checkbox" name="confirm" value="1" />
+			<?= __("Confirm deletion") ?></label>
+		</p>
 
 		<p>
 			<input type="submit" class="button" value="<?= __("Delete") ?>" />
author	Lukas Fleischer <lfleischer@archlinux.org>	2020-01-30 11:52:32 +0100
committer	Lukas Fleischer <lfleischer@archlinux.org>	2020-01-30 13:25:15 +0100
commit	8fc8898fef39af20a24c9928464fd8420481d819 (patch)
tree	34cf8f9eeeb9b642e074d2a5b1186ecbf6b8b3a1 /web/template/account_delete.php
parent	7aa420d24da7e8c2c214ab421d44b4684d42e73e (diff)
download	aur-8fc8898fef39af20a24c9928464fd8420481d819.tar.gz aur-8fc8898fef39af20a24c9928464fd8420481d819.tar.xz