[PATCH] Verify current password against logged in user

Thu, 30 Jan 2020 03:57:45 -0800 

When changing the password of an account, instead of asking for the old
password of the account, ask for the password of the currently logged in
user. This allows privileged users to edit other accounts without
knowing their passwords.

Signed-off-by: Lukas Fleischer <lfleisc...@archlinux.org>
---
 web/lib/acctfuncs.inc.php          | 9 ++++-----
 web/template/account_edit_form.php | 4 ++--
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index 601d4ce..d2144c2 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -134,10 +134,9 @@ function 
process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P="
        $dbh = DB::connect();
 
        if(isset($_COOKIE['AURSID'])) {
-               $editor_user = uid_from_sid($_COOKIE['AURSID']);
-       }
-       else {
-               $editor_user = null;
+               $uid_session = uid_from_sid($_COOKIE['AURSID']);
+       } else {
+               $uid_session = null;
        }
 
        if (empty($E) || empty($U)) {
@@ -169,7 +168,7 @@ function 
process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P="
        if (!$error && $P && $P != $C) {
                $error = __("Password fields do not match.");
        }
-       if (!$error && $P && check_passwd($UID, $PO) != 1) {
+       if (!$error && $P && check_passwd($uid_session, $PO) != 1) {
                $error = __("The old password is invalid.");
        }
        if (!$error && $P != '' && !good_passwd($P)) {
diff --git a/web/template/account_edit_form.php 
b/web/template/account_edit_form.php
index 25e9185..7bd233a 100644
--- a/web/template/account_edit_form.php
+++ b/web/template/account_edit_form.php
@@ -140,9 +140,9 @@
 
        <?php if ($A == "UpdateAccount"): ?>
        <fieldset>
-               <legend><?= __("If you want to change your password, enter your 
current passport, your new password and confirm the new password by entering it 
again.") ?></legend>
+               <legend><?= __("If you want to change the password, enter your 
current passport, the new password and confirm the new password by entering it 
again.") ?></legend>
                <p>
-                       <label for="id_passwd_old"><?= __("Old password") 
?>:</label>
+                       <label for="id_passwd_old"><?= __("Your current 
password") ?>:</label>
                        <input type="password" size="30" name="PO" 
id="id_passwd_old" value="<?= $PO ?>" />
                </p>
 
-- 
2.25.0

Reply via email to