From 08789f365c3c495b805aef082f20e1a99cf9eca5 Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Sat, 14 Jul 2007 03:48:28 +0000
Subject: Bug 381738: SaveAccount() in userprefs.cgi doesn't check
 Bugzilla->user->authorizer->can_change_{password|email} - Patch by Tiago R.
 Mello <timello@gmail.com> r/a=LpSolit

---
 userprefs.cgi | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'userprefs.cgi')

diff --git a/userprefs.cgi b/userprefs.cgi
index 8f94809cb..1ad7f906e 100755
--- a/userprefs.cgi
+++ b/userprefs.cgi
@@ -82,8 +82,8 @@ sub SaveAccount {
     my $pwd1 = $cgi->param('new_password1');
     my $pwd2 = $cgi->param('new_password2');
 
-    if ($cgi->param('Bugzilla_password') ne "" || 
-        $pwd1 ne "" || $pwd2 ne "") 
+    if ($user->authorizer->can_change_password
+        && ($cgi->param('Bugzilla_password') ne "" || $pwd1 ne "" || $pwd2 ne ""))
     {
         my ($oldcryptedpwd) = $dbh->selectrow_array(
                         q{SELECT cryptpassword FROM profiles WHERE userid = ?},
@@ -115,7 +115,10 @@ sub SaveAccount {
         }
     }
 
-    if(Bugzilla->params->{"allowemailchange"} && $cgi->param('new_login_name')) {
+    if ($user->authorizer->can_change_email
+        && Bugzilla->params->{"allowemailchange"}
+        && $cgi->param('new_login_name'))
+    {
         my $old_login_name = $cgi->param('Bugzilla_login');
         my $new_login_name = trim($cgi->param('new_login_name'));
 
-- 
cgit v1.2.3-24-g4f1b