Commit 8fc8898f authored by Lukas Fleischer's avatar Lukas Fleischer
Browse files

Require password when deleting an account



Further reduce the attack surface in case of a stolen session ID.
Signed-off-by: Lukas Fleischer's avatarLukas Fleischer <lfleischer@archlinux.org>
parent 7aa420d2
......@@ -120,12 +120,21 @@ if (isset($_COOKIE["AURSID"])) {
} elseif ($action == "DeleteAccount") {
/* Details for account being deleted. */
if (can_edit_account($row)) {
$UID = $row['ID'];
$uid_removal = $row['ID'];
$uid_session = uid_from_sid($_COOKIE['AURSID']);
$username = $row['Username'];
if (in_request('confirm') && check_token()) {
user_delete($UID);
header('Location: /');
if (check_passwd($uid_session, $_REQUEST['passwd']) == 1) {
user_delete($uid_removal);
header('Location: /');
} else {
echo "<ul class='errorlist'><li>";
echo __("Invalid password.");
echo "</li></ul>";
include("account_delete.php");
}
} else {
$username = $row['Username'];
include("account_delete.php");
}
} else {
......
......@@ -12,8 +12,15 @@
<input type="hidden" name="token" value="<?= htmlspecialchars($_COOKIE['AURSID']) ?>" />
</fieldset>
<fieldset>
<p><label class="confirmation"><input type="checkbox" name="confirm" value="1" />
<?= __("Confirm deletion") ?></label></p>
<p>
<label for="id_passwd"><?= __("Password") ?>:</label>
<input type="password" size="30" name="passwd" id="id_passwd" value="" />
</p>
<p>
<label class="confirmation"><input type="checkbox" name="confirm" value="1" />
<?= __("Confirm deletion") ?></label>
</p>
<p>
<input type="submit" class="button" value="<?= __("Delete") ?>" />
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment