[geeklog-cvs] geeklog: A remote service user now bypasses current password che...
geeklog-cvs at lists.geeklog.net
geeklog-cvs at lists.geeklog.net
Wed Feb 1 10:47:05 EST 2012
changeset 8486:bdff7ced627a
url: http://project.geeklog.net/cgi-bin/hgwebdir.cgi/geeklog/rev/bdff7ced627a
user: Tom <websitemaster at cogeco.net>
date: Wed Feb 01 10:45:33 2012 -0500
description:
A remote service user now bypasses current password check when account is deleted. (bug #0001417)
diffstat:
public_html/usersettings.php | 21 ++++++++++++---------
1 files changed, 12 insertions(+), 9 deletions(-)
diffs (32 lines):
diff -r b765e5090111 -r bdff7ced627a public_html/usersettings.php
--- a/public_html/usersettings.php Tue Jan 31 14:47:10 2012 -0500
+++ b/public_html/usersettings.php Wed Feb 01 10:45:33 2012 -0500
@@ -312,16 +312,19 @@
return COM_refresh ($_CONF['site_url'] . '/index.php');
}
- // to change the password, email address, or cookie timeout,
- // we need the user's current password
- $current_password = DB_getItem($_TABLES['users'], 'passwd',
- "uid = {$_USER['uid']}");
- if (empty($_POST['old_passwd']) ||
- (SEC_encryptPassword($_POST['old_passwd']) != $current_password)) {
- return COM_refresh($_CONF['site_url']
- . '/usersettings.php?msg=84');
+ // Do not check current password for remote users. At some point we should reauthenticate with the service when deleting the account
+ if ($_USER['remoteservice'] == '') {
+ // to change the password, email address, or cookie timeout,
+ // we need the user's current password
+ $current_password = DB_getItem($_TABLES['users'], 'passwd',
+ "uid = {$_USER['uid']}");
+ if (empty($_POST['old_passwd']) ||
+ (SEC_encryptPassword($_POST['old_passwd']) != $current_password)) {
+ return COM_refresh($_CONF['site_url']
+ . '/usersettings.php?msg=84');
+ }
}
-
+
$reqid = substr (md5 (uniqid (rand (), 1)), 1, 16);
DB_change ($_TABLES['users'], 'pwrequestid', "$reqid",
'uid', $_USER['uid']);
More information about the geeklog-cvs
mailing list