From 5827db0ea327827657620b5b668b0741ca0e77bf Mon Sep 17 00:00:00 2001 From: Tobias Diekershoff Date: Sun, 14 Apr 2013 17:22:42 +0200 Subject: [PATCH 1/3] check current password before changing the password --- mod/settings.php | 13 +++++++++++-- view/settings.tpl | 2 ++ view/smarty3/settings.tpl | 2 ++ 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/mod/settings.php b/mod/settings.php index 38bfedbb1..56526b7e7 100644 --- a/mod/settings.php +++ b/mod/settings.php @@ -300,7 +300,8 @@ function settings_post(&$a) { if((x($_POST,'npassword')) || (x($_POST,'confirm'))) { $newpass = $_POST['npassword']; - $confirm = $_POST['confirm']; + $confirm = $_POST['confirm']; + $oldpass = hash('whirlpool', $_POST['opassword']); $err = false; if($newpass != $confirm ) { @@ -311,7 +312,13 @@ function settings_post(&$a) { if((! x($newpass)) || (! x($confirm))) { notice( t('Empty passwords are not allowed. Password unchanged.') . EOL); $err = true; - } + } + + $r = q("SELECT `password` FROM `user`WHERE `uid` = %d LIMIT 1", intval(local_user())); + if( $oldpass != $r[0]['password'] ) { + notice( t('Wrong password.') . EOL); + $err = true; + } if(! $err) { $password = hash('whirlpool',$newpass); @@ -1045,6 +1052,8 @@ function settings_content(&$a) { '$h_pass' => t('Password Settings'), '$password1'=> array('npassword', t('New Password:'), '', ''), '$password2'=> array('confirm', t('Confirm:'), '', t('Leave password fields blank unless changing')), + '$password3'=> array('opassword', t('Current Password:'), '', t('Your current password to confirm the changes')), + '$password4'=> array('password', t('Password:'), '', t('Your current password to confirm the changes')), '$oid_enable' => (! get_config('system','no_openid')), '$openid' => $openid_field, diff --git a/view/settings.tpl b/view/settings.tpl index bebd0c12a..569ebcf10 100644 --- a/view/settings.tpl +++ b/view/settings.tpl @@ -9,6 +9,7 @@ $nickname_block {{inc field_password.tpl with $field=$password1 }}{{endinc}} {{inc field_password.tpl with $field=$password2 }}{{endinc}} +{{inc field_password.tpl with $field=$password3 }}{{endinc}} {{ if $oid_enable }} {{inc field_input.tpl with $field=$openid }}{{endinc}} @@ -23,6 +24,7 @@ $nickname_block {{inc field_input.tpl with $field=$username }}{{endinc}} {{inc field_input.tpl with $field=$email }}{{endinc}} +{{inc field_password.tpl with $field=$password4 }}{{endinc}} {{inc field_custom.tpl with $field=$timezone }}{{endinc}} {{inc field_input.tpl with $field=$defloc }}{{endinc}} {{inc field_checkbox.tpl with $field=$allowloc }}{{endinc}} diff --git a/view/smarty3/settings.tpl b/view/smarty3/settings.tpl index b79b26b79..2ab4bd466 100644 --- a/view/smarty3/settings.tpl +++ b/view/smarty3/settings.tpl @@ -14,6 +14,7 @@ {{include file="field_password.tpl" field=$password1}} {{include file="field_password.tpl" field=$password2}} +{{include file="field_password.tpl" field=$password3}} {{if $oid_enable}} {{include file="field_input.tpl" field=$openid}} @@ -28,6 +29,7 @@ {{include file="field_input.tpl" field=$username}} {{include file="field_input.tpl" field=$email}} +{{include file="field_password.tpl" field=$password4}} {{include file="field_custom.tpl" field=$timezone}} {{include file="field_input.tpl" field=$defloc}} {{include file="field_checkbox.tpl" field=$allowloc}} From 4dd406055c0f6ff86e96d0a38cee3032057f4d85 Mon Sep 17 00:00:00 2001 From: Tobias Diekershoff Date: Sun, 14 Apr 2013 17:58:16 +0200 Subject: [PATCH 2/3] check password when changing users email --- mod/settings.php | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/mod/settings.php b/mod/settings.php index 56526b7e7..3d3688e29 100644 --- a/mod/settings.php +++ b/mod/settings.php @@ -314,6 +314,8 @@ function settings_post(&$a) { $err = true; } + // check if the old password was supplied correctly before + // changing it to the new value $r = q("SELECT `password` FROM `user`WHERE `uid` = %d LIMIT 1", intval(local_user())); if( $oldpass != $r[0]['password'] ) { notice( t('Wrong password.') . EOL); @@ -401,8 +403,17 @@ function settings_post(&$a) { if($email != $a->user['email']) { $email_changed = true; - if(! valid_email($email)) - $err .= t(' Not valid email.'); + // check for the correct password + $r = q("SELECT `password` FROM `user`WHERE `uid` = %d LIMIT 1", intval(local_user())); + $password = hash('whirlpool', $_POST['password']); + if ($password != $r[0]['password']) { + $err .= t('Wrong Password') . EOL; + $email = $a->user['email']; + } + // check the email is valid + if(! valid_email($email)) + $err .= t(' Not valid email.'); + // ensure new email is not the admin mail if((x($a->config,'admin_email')) && (strcasecmp($email,$a->config['admin_email']) == 0)) { $err .= t(' Cannot change to that email.'); $email = $a->user['email']; From b6d1a1f125e44fe6af1c8eff7635e6d509abe262 Mon Sep 17 00:00:00 2001 From: Tobias Diekershoff Date: Sun, 14 Apr 2013 18:19:01 +0200 Subject: [PATCH 3/3] tabwidth --- mod/settings.php | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/mod/settings.php b/mod/settings.php index 3d3688e29..ca688d1a9 100644 --- a/mod/settings.php +++ b/mod/settings.php @@ -300,8 +300,8 @@ function settings_post(&$a) { if((x($_POST,'npassword')) || (x($_POST,'confirm'))) { $newpass = $_POST['npassword']; - $confirm = $_POST['confirm']; - $oldpass = hash('whirlpool', $_POST['opassword']); + $confirm = $_POST['confirm']; + $oldpass = hash('whirlpool', $_POST['opassword']); $err = false; if($newpass != $confirm ) { @@ -312,15 +312,15 @@ function settings_post(&$a) { if((! x($newpass)) || (! x($confirm))) { notice( t('Empty passwords are not allowed. Password unchanged.') . EOL); $err = true; - } + } - // check if the old password was supplied correctly before - // changing it to the new value - $r = q("SELECT `password` FROM `user`WHERE `uid` = %d LIMIT 1", intval(local_user())); - if( $oldpass != $r[0]['password'] ) { - notice( t('Wrong password.') . EOL); - $err = true; - } + // check if the old password was supplied correctly before + // changing it to the new value + $r = q("SELECT `password` FROM `user`WHERE `uid` = %d LIMIT 1", intval(local_user())); + if( $oldpass != $r[0]['password'] ) { + notice( t('Wrong password.') . EOL); + $err = true; + } if(! $err) { $password = hash('whirlpool',$newpass); @@ -403,17 +403,17 @@ function settings_post(&$a) { if($email != $a->user['email']) { $email_changed = true; - // check for the correct password - $r = q("SELECT `password` FROM `user`WHERE `uid` = %d LIMIT 1", intval(local_user())); - $password = hash('whirlpool', $_POST['password']); - if ($password != $r[0]['password']) { - $err .= t('Wrong Password') . EOL; - $email = $a->user['email']; - } - // check the email is valid - if(! valid_email($email)) - $err .= t(' Not valid email.'); - // ensure new email is not the admin mail + // check for the correct password + $r = q("SELECT `password` FROM `user`WHERE `uid` = %d LIMIT 1", intval(local_user())); + $password = hash('whirlpool', $_POST['password']); + if ($password != $r[0]['password']) { + $err .= t('Wrong Password') . EOL; + $email = $a->user['email']; + } + // check the email is valid + if(! valid_email($email)) + $err .= t(' Not valid email.'); + // ensure new email is not the admin mail if((x($a->config,'admin_email')) && (strcasecmp($email,$a->config['admin_email']) == 0)) { $err .= t(' Cannot change to that email.'); $email = $a->user['email'];