check password when changing users email

2013-04-14 17:58:16 +02:00 · 2013-04-14 17:58:16 +02:00 · 4dd406055c
parent 5827db0ea3
commit 4dd406055c
1 changed files with 13 additions and 2 deletions
--- a/mod/settings.php
+++ b/mod/settings.php
@ -314,6 +314,8 @@ function settings_post(&$a) {
 			$err = true;
                }

+                //  check if the old password was supplied correctly before 
+                //  changing it to the new value
                $r = q("SELECT `password` FROM `user`WHERE `uid` = %d LIMIT 1", intval(local_user()));
                if( $oldpass != $r[0]['password'] ) {
                    notice( t('Wrong password.') . EOL);
@ -401,8 +403,17 @@ function settings_post(&$a) {

 	if($email != $a->user['email']) {
 		$email_changed = true;
-        if(! valid_email($email))
-			$err .= t(' Not valid email.');
+                //  check for the correct password
+                $r = q("SELECT `password` FROM `user`WHERE `uid` = %d LIMIT 1", intval(local_user()));
+                $password = hash('whirlpool', $_POST['password']);
+                if ($password != $r[0]['password']) {
+                    $err .= t('Wrong Password') . EOL;
+                    $email = $a->user['email'];
+                }
+                //  check the email is valid
+                if(! valid_email($email))
+                    $err .= t(' Not valid email.');
+                //  ensure new email is not the admin mail
 		if((x($a->config,'admin_email')) && (strcasecmp($email,$a->config['admin_email']) == 0)) {
 			$err .= t(' Cannot change to that email.');
 			$email = $a->user['email'];