From 08789f365c3c495b805aef082f20e1a99cf9eca5 Mon Sep 17 00:00:00 2001 From: "lpsolit%gmail.com" <> Date: Sat, 14 Jul 2007 03:48:28 +0000 Subject: Bug 381738: SaveAccount() in userprefs.cgi doesn't check Bugzilla->user->authorizer->can_change_{password|email} - Patch by Tiago R. Mello r/a=LpSolit --- userprefs.cgi | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/userprefs.cgi b/userprefs.cgi index 8f94809cb..1ad7f906e 100755 --- a/userprefs.cgi +++ b/userprefs.cgi @@ -82,8 +82,8 @@ sub SaveAccount { my $pwd1 = $cgi->param('new_password1'); my $pwd2 = $cgi->param('new_password2'); - if ($cgi->param('Bugzilla_password') ne "" || - $pwd1 ne "" || $pwd2 ne "") + if ($user->authorizer->can_change_password + && ($cgi->param('Bugzilla_password') ne "" || $pwd1 ne "" || $pwd2 ne "")) { my ($oldcryptedpwd) = $dbh->selectrow_array( q{SELECT cryptpassword FROM profiles WHERE userid = ?}, @@ -115,7 +115,10 @@ sub SaveAccount { } } - if(Bugzilla->params->{"allowemailchange"} && $cgi->param('new_login_name')) { + if ($user->authorizer->can_change_email + && Bugzilla->params->{"allowemailchange"} + && $cgi->param('new_login_name')) + { my $old_login_name = $cgi->param('Bugzilla_login'); my $new_login_name = trim($cgi->param('new_login_name')); -- cgit v1.2.3-24-g4f1b