user: Fix admin change password on arbitrary users.

sjuxax · Jan 25, 2013 · ac74f61 · ac74f61
1 parent 2d94c4d
commit ac74f61
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 3 deletions.
diff --git a/raggregate/templates/base/user_info.mak b/raggregate/templates/base/user_info.mak
@@ -21,7 +21,7 @@
     <br />
     <div id="change_pass_form">
         <b>Change Password for ${u.display_name()}</b>
-        <form action="${request.route_url('login', _query=[('act', 'update_pw')])}" method="POST">
+        <form action="${request.route_url('login', _query=[('act', 'update_pw'), ('user_id', u.id)])}" method="POST">
             <ul class="form-list">
                 <li>
                     <label class="form-label" for="old-password">Old Password</label>

diff --git a/raggregate/views/user.py b/raggregate/views/user.py
@@ -101,8 +101,16 @@ def login(request):
                 if p['new_password'] != p['new_password_confirm']:
                     s['message'] = 'New password doesn\'t match confirmation, please try again.'
                 else:
-                    u = users.get_user_by_id(s['users.id'])
-                    if u.verify_pw(p['old_password']):
+                    u = None
+
+                    if s['logged_in_admin']:
+                        if 'user_id' in prm:
+                            u = users.get_user_by_id(prm['user_id'])
+
+                    if u == None:
+                        u = users.get_user_by_id(s['users.id'])
+
+                    if u.verify_pw(p['old_password']) or s['logged_in_admin']:
                         u.password = u.hash_pw(p['new_password'])
                         dbsession.add(u)
                         s['message'] = 'Password updated.'