From 7aa420d24da7e8c2c214ab421d44b4684d42e73e Mon Sep 17 00:00:00 2001 From: Lukas Fleischer Date: Thu, 30 Jan 2020 12:39:52 +0100 Subject: Verify current password against logged in user When changing the password of an account, instead of asking for the old password of the account, ask for the password of the currently logged in user. This allows privileged users to edit other accounts without knowing their passwords. Signed-off-by: Lukas Fleischer --- web/lib/acctfuncs.inc.php | 9 ++++----- web/template/account_edit_form.php | 4 ++-- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 601d4ce0..d2144c2a 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -134,10 +134,9 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P=" $dbh = DB::connect(); if(isset($_COOKIE['AURSID'])) { - $editor_user = uid_from_sid($_COOKIE['AURSID']); - } - else { - $editor_user = null; + $uid_session = uid_from_sid($_COOKIE['AURSID']); + } else { + $uid_session = null; } if (empty($E) || empty($U)) { @@ -169,7 +168,7 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P=" if (!$error && $P && $P != $C) { $error = __("Password fields do not match."); } - if (!$error && $P && check_passwd($UID, $PO) != 1) { + if (!$error && $P && check_passwd($uid_session, $PO) != 1) { $error = __("The old password is invalid."); } if (!$error && $P != '' && !good_passwd($P)) { diff --git a/web/template/account_edit_form.php b/web/template/account_edit_form.php index 25e91853..7bd233a8 100644 --- a/web/template/account_edit_form.php +++ b/web/template/account_edit_form.php @@ -140,9 +140,9 @@
- +

- +

-- cgit v1.2.3-24-g4f1b