[PATCH] Require password when changing account information
Since commits daee20c (Require current password when setting a new one, 2020-01-30) and 8fc8898 (Require password when deleting an account, 2020-01-30), changing a password and deleting an account require the current password. Extend this to all other profile changes. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org> --- web/html/account.php | 5 +++-- web/html/register.php | 4 ++-- web/lib/acctfuncs.inc.php | 19 +++++++------------ web/template/account_edit_form.php | 17 +++++++++-------- 4 files changed, 21 insertions(+), 24 deletions(-) diff --git a/web/html/account.php b/web/html/account.php index 03af8d4..ff9aba5 100644 --- a/web/html/account.php +++ b/web/html/account.php @@ -34,7 +34,6 @@ if ($action == "UpdateAccount") { in_request("S"), in_request("E"), in_request("H"), - in_request("PO"), in_request("P"), in_request("C"), in_request("R"), @@ -49,7 +48,9 @@ if ($action == "UpdateAccount") { in_request("UN"), in_request("ON"), in_request("ID"), - $row["Username"]); + $row["Username"], + in_request("passwd") + ); } } diff --git a/web/html/register.php b/web/html/register.php index 8174e34..610befc 100644 --- a/web/html/register.php +++ b/web/html/register.php @@ -26,7 +26,6 @@ if (in_request("Action") == "NewAccount") { in_request("H"), '', '', - '', in_request("R"), in_request("L"), in_request("TZ"), @@ -40,6 +39,7 @@ if (in_request("Action") == "NewAccount") { in_request("ON"), 0, "", + '', in_request("captcha_salt"), in_request("captcha"), ); @@ -55,7 +55,6 @@ if (in_request("Action") == "NewAccount") { in_request("H"), '', '', - '', in_request("R"), in_request("L"), in_request("TZ"), @@ -69,6 +68,7 @@ if (in_request("Action") == "NewAccount") { in_request("ON"), 0, "", + '', in_request("captcha_salt"), in_request("captcha") ); diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index d2144c2..345d27a 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -96,7 +96,6 @@ function display_account_form($A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",$R="" * @param string $S Whether or not the account is suspended * @param string $E The e-mail address for the user * @param string $H Whether or not the e-mail address should be hidden - * @param string $PO The old password of the user * @param string $P The password for the user * @param string $C The confirmed password for the user * @param string $R The real name of the user @@ -112,13 +111,14 @@ function display_account_form($A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",$R="" * @param string $ON Whether to notify of ownership changes * @param string $UID The user ID of the modified account * @param string $N The username as present in the database + * @param string $passwd The password of the logged in user. * @param string $captcha_salt The salt used for the CAPTCHA. * @param string $captcha The CAPTCHA answer. * * @return array Boolean indicating success and message to be printed */ -function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P="",$C="", - $R="",$L="",$TZ="",$HP="",$I="",$K="",$PK="",$J="",$CN="",$UN="",$ON="",$UID=0,$N="",$captcha_salt="",$captcha="") { +function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C="", + $R="",$L="",$TZ="",$HP="",$I="",$K="",$PK="",$J="",$CN="",$UN="",$ON="",$UID=0,$N="",$passwd="",$captcha_salt="",$captcha="") { global $SUPPORTED_LANGS; $error = ''; @@ -133,10 +133,11 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P=" $dbh = DB::connect(); - if(isset($_COOKIE['AURSID'])) { + if (isset($_COOKIE['AURSID'])) { $uid_session = uid_from_sid($_COOKIE['AURSID']); - } else { - $uid_session = null; + if (!$error && check_passwd($uid_session, $passwd) != 1) { + $error = __("Invalid password."); + } } if (empty($E) || empty($U)) { @@ -162,15 +163,9 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P=" if (!$error && $P && !$C) { $error = __("Please confirm your new password."); } - if (!$error && $P && !$PO) { - $error = __("Please enter your old password in order to set a new one."); - } if (!$error && $P && $P != $C) { $error = __("Password fields do not match."); } - if (!$error && $P && check_passwd($uid_session, $PO) != 1) { - $error = __("The old password is invalid."); - } if (!$error && $P != '' && !good_passwd($P)) { $length_min = config_get_int('options', 'passwd_min_len'); $error = __("Your password must be at least %s characters.", diff --git a/web/template/account_edit_form.php b/web/template/account_edit_form.php index 7bd233a..09d65c0 100644 --- a/web/template/account_edit_form.php +++ b/web/template/account_edit_form.php @@ -140,12 +140,7 @@ <?php if ($A == "UpdateAccount"): ?> <fieldset> - <legend><?= __("If you want to change the password, enter your current passport, the new password and confirm the new password by entering it again.") ?></legend> - <p> - <label for="id_passwd_old"><?= __("Your current password") ?>:</label> - <input type="password" size="30" name="PO" id="id_passwd_old" value="<?= $PO ?>" /> - </p> - + <legend><?= __("If you want to change the password, enter a new password and confirm the new password by entering it again.") ?></legend> <p> <label for="id_passwd1"><?= __("Password") ?>:</label> <input type="password" size="30" name="P" id="id_passwd1" value="<?= $P ?>" /> @@ -182,16 +177,22 @@ </p> </fieldset> - <?php if ($A != "UpdateAccount"): ?> <fieldset> + <?php if ($A == "UpdateAccount"): ?> + <legend><?= __("To confirm the profile changes, please enter your current password:") ?></legend> + <p> + <label for="id_passwd_current"><?= __("Your current password") ?>:</label> + <input type="password" size="30" name="passwd" id="id_passwd_current" value="" /> + </p> + <?php else: ?> <legend><?= __("To protect the AUR against automated account creation, we kindly ask you to provide the output of the following command:") ?> <code><?= htmlspecialchars($captcha_challenge) ?></code></legend> <p> <label for="id_captcha"><?= __("Answer") ?>:</label> <input type="text" size="30" maxlength="6" name="captcha" id="id_captcha" value="<?= htmlspecialchars($captcha, ENT_QUOTES) ?>" /> (<?= __("required") ?>) <input type="hidden" name="captcha_salt" value="<?= htmlspecialchars($captcha_salt) ?>" /> </p> - </fieldset> <?php endif; ?> + </fieldset> <fieldset> <p> -- 2.25.0
participants (1)
-
Lukas Fleischer