Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

user: Fix admin change password on arbitrary users.

  • Loading branch information...
commit ac74f619a9ac4a90c704aec44078c0705beb354f 1 parent 2d94c4d
@sjuxax authored
View
2  raggregate/templates/base/user_info.mak
@@ -21,7 +21,7 @@
<br />
<div id="change_pass_form">
<b>Change Password for ${u.display_name()}</b>
- <form action="${request.route_url('login', _query=[('act', 'update_pw')])}" method="POST">
+ <form action="${request.route_url('login', _query=[('act', 'update_pw'), ('user_id', u.id)])}" method="POST">
<ul class="form-list">
<li>
<label class="form-label" for="old-password">Old Password</label>
View
12 raggregate/views/user.py
@@ -101,8 +101,16 @@ def login(request):
if p['new_password'] != p['new_password_confirm']:
s['message'] = 'New password doesn\'t match confirmation, please try again.'
else:
- u = users.get_user_by_id(s['users.id'])
- if u.verify_pw(p['old_password']):
+ u = None
+
+ if s['logged_in_admin']:
+ if 'user_id' in prm:
+ u = users.get_user_by_id(prm['user_id'])
+
+ if u == None:
+ u = users.get_user_by_id(s['users.id'])
+
+ if u.verify_pw(p['old_password']) or s['logged_in_admin']:
u.password = u.hash_pw(p['new_password'])
dbsession.add(u)
s['message'] = 'Password updated.'
Please sign in to comment.
Something went wrong with that request. Please try again.