Skip to content

Commit

Permalink
Prevent admin locking themselves out when resetting own password
Browse files Browse the repository at this point in the history 
Prior to this, when an admin attempted to reset their own password from
manage_user_edit_page.php (with $g_send_reset_password = ON), they were
no longer able to login because the sent confirmation hash was not valid
anymore since the last_visit timestamp used to generate it is updated by
every successful loading of the page (footer).

This commit prevents such behavior by hiding the "Reset Password" button
for the current user in the manage user page. One's own password should
be changed in account_page.php (My Account).

Fixes #14260
  • Loading branch information
@dregad
dregad committed Jun 6, 2012
1 parent 1d75494 commit 0777b3b
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion manage_user_edit_page.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -180,7 +180,8 @@

<!-- RESET AND DELETE -->
<?php
$t_reset = helper_call_custom_function( 'auth_can_change_password', array() );
$t_reset = $t_user['id'] != auth_get_current_user_id()
&& helper_call_custom_function( 'auth_can_change_password', array() );
$t_unlock = OFF != config_get( 'max_failed_login_count' ) && $t_user['failed_login_count'] > 0;
$t_delete = !( ( user_is_administrator( $t_user_id ) && ( user_count_level( config_get_global( 'admin_site_threshold' ) ) <= 1 ) ) );

Expand Down

0 comments on commit 0777b3b

Please sign in to comment.