From 4dd406055c0f6ff86e96d0a38cee3032057f4d85 Mon Sep 17 00:00:00 2001 From: Tobias Diekershoff Date: Sun, 14 Apr 2013 17:58:16 +0200 Subject: [PATCH] check password when changing users email --- mod/settings.php | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/mod/settings.php b/mod/settings.php index 56526b7e7..3d3688e29 100644 --- a/mod/settings.php +++ b/mod/settings.php @@ -314,6 +314,8 @@ function settings_post(&$a) { $err = true; } + // check if the old password was supplied correctly before + // changing it to the new value $r = q("SELECT `password` FROM `user`WHERE `uid` = %d LIMIT 1", intval(local_user())); if( $oldpass != $r[0]['password'] ) { notice( t('Wrong password.') . EOL); @@ -401,8 +403,17 @@ function settings_post(&$a) { if($email != $a->user['email']) { $email_changed = true; - if(! valid_email($email)) - $err .= t(' Not valid email.'); + // check for the correct password + $r = q("SELECT `password` FROM `user`WHERE `uid` = %d LIMIT 1", intval(local_user())); + $password = hash('whirlpool', $_POST['password']); + if ($password != $r[0]['password']) { + $err .= t('Wrong Password') . EOL; + $email = $a->user['email']; + } + // check the email is valid + if(! valid_email($email)) + $err .= t(' Not valid email.'); + // ensure new email is not the admin mail if((x($a->config,'admin_email')) && (strcasecmp($email,$a->config['admin_email']) == 0)) { $err .= t(' Cannot change to that email.'); $email = $a->user['email'];