Commit def2787b authored by Lukas Fleischer's avatar Lukas Fleischer
Browse files

Require password when changing account information

Since commits daee20c6 (Require current password when setting a new one,
2020-01-30) and 8fc8898f

 (Require password when deleting an account,
2020-01-30), changing a password and deleting an account require the
current password. Extend this to all other profile changes.

Signed-off-by: Lukas Fleischer's avatarLukas Fleischer <lfleischer@archlinux.org>
parent 8fc8898f
...@@ -34,7 +34,6 @@ if ($action == "UpdateAccount") { ...@@ -34,7 +34,6 @@ if ($action == "UpdateAccount") {
in_request("S"), in_request("S"),
in_request("E"), in_request("E"),
in_request("H"), in_request("H"),
in_request("PO"),
in_request("P"), in_request("P"),
in_request("C"), in_request("C"),
in_request("R"), in_request("R"),
...@@ -49,7 +48,9 @@ if ($action == "UpdateAccount") { ...@@ -49,7 +48,9 @@ if ($action == "UpdateAccount") {
in_request("UN"), in_request("UN"),
in_request("ON"), in_request("ON"),
in_request("ID"), in_request("ID"),
$row["Username"]); $row["Username"],
in_request("passwd")
);
} }
} }
......
...@@ -26,7 +26,6 @@ if (in_request("Action") == "NewAccount") { ...@@ -26,7 +26,6 @@ if (in_request("Action") == "NewAccount") {
in_request("H"), in_request("H"),
'', '',
'', '',
'',
in_request("R"), in_request("R"),
in_request("L"), in_request("L"),
in_request("TZ"), in_request("TZ"),
...@@ -40,6 +39,7 @@ if (in_request("Action") == "NewAccount") { ...@@ -40,6 +39,7 @@ if (in_request("Action") == "NewAccount") {
in_request("ON"), in_request("ON"),
0, 0,
"", "",
'',
in_request("captcha_salt"), in_request("captcha_salt"),
in_request("captcha"), in_request("captcha"),
); );
...@@ -55,7 +55,6 @@ if (in_request("Action") == "NewAccount") { ...@@ -55,7 +55,6 @@ if (in_request("Action") == "NewAccount") {
in_request("H"), in_request("H"),
'', '',
'', '',
'',
in_request("R"), in_request("R"),
in_request("L"), in_request("L"),
in_request("TZ"), in_request("TZ"),
...@@ -69,6 +68,7 @@ if (in_request("Action") == "NewAccount") { ...@@ -69,6 +68,7 @@ if (in_request("Action") == "NewAccount") {
in_request("ON"), in_request("ON"),
0, 0,
"", "",
'',
in_request("captcha_salt"), in_request("captcha_salt"),
in_request("captcha") in_request("captcha")
); );
......
...@@ -96,7 +96,6 @@ function display_account_form($A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",$R="" ...@@ -96,7 +96,6 @@ function display_account_form($A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",$R=""
* @param string $S Whether or not the account is suspended * @param string $S Whether or not the account is suspended
* @param string $E The e-mail address for the user * @param string $E The e-mail address for the user
* @param string $H Whether or not the e-mail address should be hidden * @param string $H Whether or not the e-mail address should be hidden
* @param string $PO The old password of the user
* @param string $P The password for the user * @param string $P The password for the user
* @param string $C The confirmed password for the user * @param string $C The confirmed password for the user
* @param string $R The real name of the user * @param string $R The real name of the user
...@@ -112,13 +111,14 @@ function display_account_form($A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",$R="" ...@@ -112,13 +111,14 @@ function display_account_form($A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",$R=""
* @param string $ON Whether to notify of ownership changes * @param string $ON Whether to notify of ownership changes
* @param string $UID The user ID of the modified account * @param string $UID The user ID of the modified account
* @param string $N The username as present in the database * @param string $N The username as present in the database
* @param string $passwd The password of the logged in user.
* @param string $captcha_salt The salt used for the CAPTCHA. * @param string $captcha_salt The salt used for the CAPTCHA.
* @param string $captcha The CAPTCHA answer. * @param string $captcha The CAPTCHA answer.
* *
* @return array Boolean indicating success and message to be printed * @return array Boolean indicating success and message to be printed
*/ */
function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P="",$C="", function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",
$R="",$L="",$TZ="",$HP="",$I="",$K="",$PK="",$J="",$CN="",$UN="",$ON="",$UID=0,$N="",$captcha_salt="",$captcha="") { $R="",$L="",$TZ="",$HP="",$I="",$K="",$PK="",$J="",$CN="",$UN="",$ON="",$UID=0,$N="",$passwd="",$captcha_salt="",$captcha="") {
global $SUPPORTED_LANGS; global $SUPPORTED_LANGS;
$error = ''; $error = '';
...@@ -133,10 +133,11 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P=" ...@@ -133,10 +133,11 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P="
$dbh = DB::connect(); $dbh = DB::connect();
if(isset($_COOKIE['AURSID'])) { if (isset($_COOKIE['AURSID'])) {
$uid_session = uid_from_sid($_COOKIE['AURSID']); $uid_session = uid_from_sid($_COOKIE['AURSID']);
} else { if (!$error && check_passwd($uid_session, $passwd) != 1) {
$uid_session = null; $error = __("Invalid password.");
}
} }
if (empty($E) || empty($U)) { if (empty($E) || empty($U)) {
...@@ -162,15 +163,9 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P=" ...@@ -162,15 +163,9 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P="
if (!$error && $P && !$C) { if (!$error && $P && !$C) {
$error = __("Please confirm your new password."); $error = __("Please confirm your new password.");
} }
if (!$error && $P && !$PO) {
$error = __("Please enter your old password in order to set a new one.");
}
if (!$error && $P && $P != $C) { if (!$error && $P && $P != $C) {
$error = __("Password fields do not match."); $error = __("Password fields do not match.");
} }
if (!$error && $P && check_passwd($uid_session, $PO) != 1) {
$error = __("The old password is invalid.");
}
if (!$error && $P != '' && !good_passwd($P)) { if (!$error && $P != '' && !good_passwd($P)) {
$length_min = config_get_int('options', 'passwd_min_len'); $length_min = config_get_int('options', 'passwd_min_len');
$error = __("Your password must be at least %s characters.", $error = __("Your password must be at least %s characters.",
......
...@@ -140,12 +140,7 @@ ...@@ -140,12 +140,7 @@
<?php if ($A == "UpdateAccount"): ?> <?php if ($A == "UpdateAccount"): ?>
<fieldset> <fieldset>
<legend><?= __("If you want to change the password, enter your current passport, the new password and confirm the new password by entering it again.") ?></legend> <legend><?= __("If you want to change the password, enter a new password and confirm the new password by entering it again.") ?></legend>
<p>
<label for="id_passwd_old"><?= __("Your current password") ?>:</label>
<input type="password" size="30" name="PO" id="id_passwd_old" value="<?= $PO ?>" />
</p>
<p> <p>
<label for="id_passwd1"><?= __("Password") ?>:</label> <label for="id_passwd1"><?= __("Password") ?>:</label>
<input type="password" size="30" name="P" id="id_passwd1" value="<?= $P ?>" /> <input type="password" size="30" name="P" id="id_passwd1" value="<?= $P ?>" />
...@@ -182,16 +177,22 @@ ...@@ -182,16 +177,22 @@
</p> </p>
</fieldset> </fieldset>
<?php if ($A != "UpdateAccount"): ?>
<fieldset> <fieldset>
<?php if ($A == "UpdateAccount"): ?>
<legend><?= __("To confirm the profile changes, please enter your current password:") ?></legend>
<p>
<label for="id_passwd_current"><?= __("Your current password") ?>:</label>
<input type="password" size="30" name="passwd" id="id_passwd_current" value="" />
</p>
<?php else: ?>
<legend><?= __("To protect the AUR against automated account creation, we kindly ask you to provide the output of the following command:") ?> <code><?= htmlspecialchars($captcha_challenge) ?></code></legend> <legend><?= __("To protect the AUR against automated account creation, we kindly ask you to provide the output of the following command:") ?> <code><?= htmlspecialchars($captcha_challenge) ?></code></legend>
<p> <p>
<label for="id_captcha"><?= __("Answer") ?>:</label> <label for="id_captcha"><?= __("Answer") ?>:</label>
<input type="text" size="30" maxlength="6" name="captcha" id="id_captcha" value="<?= htmlspecialchars($captcha, ENT_QUOTES) ?>" /> (<?= __("required") ?>) <input type="text" size="30" maxlength="6" name="captcha" id="id_captcha" value="<?= htmlspecialchars($captcha, ENT_QUOTES) ?>" /> (<?= __("required") ?>)
<input type="hidden" name="captcha_salt" value="<?= htmlspecialchars($captcha_salt) ?>" /> <input type="hidden" name="captcha_salt" value="<?= htmlspecialchars($captcha_salt) ?>" />
</p> </p>
</fieldset>
<?php endif; ?> <?php endif; ?>
</fieldset>
<fieldset> <fieldset>
<p> <p>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment