From patchwork Thu Jan 30 13:05:07 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Lukas Fleischer <lfleischer@archlinux.org>
X-Patchwork-Id: 1478
Return-Path: <aur-dev-bounces@archlinux.org>
Delivered-To: patchwork@archlinux.org
Received: from apollo.archlinux.org (localhost [127.0.0.1])
	by apollo.archlinux.org (Postfix) with ESMTP id EE17516BC3291
	for <patchwork@archlinux.org>; Thu, 30 Jan 2020 13:05:26 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.3 (2019-12-06) on
 apollo.archlinux.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIMWL_WL_HIGH=-0.001,
	DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,
	MAILING_LIST_MULTI=-1,RCVD_IN_DNSWL_NONE=-0.0001,SPF_HELO_NONE=0.001,
	TVD_PH_BODY_ACCOUNTS_PRE=0.001,T_DMARC_POLICY_NONE=0.01,
	WEIRD_QUOTING=0.001 autolearn=ham autolearn_force=no version=3.4.3
X-Spam-BL-Results: 
 <dns:1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.8.0.6.0.6.1.0.8.f.4.0.1.0.a.2.list.dnswl.org>
	[127.0.9.0]
Received: from orion.archlinux.org (orion.archlinux.org
 [IPv6:2a01:4f8:160:6087::1])
	by apollo.archlinux.org (Postfix) with ESMTPS
	for <patchwork@archlinux.org>; Thu, 30 Jan 2020 13:05:26 +0000 (UTC)
Received: from orion.archlinux.org (localhost [127.0.0.1])
	by orion.archlinux.org (Postfix) with ESMTP id 1974D1884DB3A3;
	Thu, 30 Jan 2020 13:05:14 +0000 (UTC)
Received: from luna.archlinux.org (luna.archlinux.org
 [IPv6:2a01:4f8:160:3033::2])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	(Authenticated sender: luna)
	by orion.archlinux.org (Postfix) with ESMTPSA id 941231884DB399;
	Thu, 30 Jan 2020 13:05:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org;
	s=orion; t=1580389514;
	bh=7hpnwQ69LhJtXWPy9JRdzKBn7cLzPYK0e5YJzjOEpTw=;
	h=From:To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:
	 List-Post:List-Help:List-Subscribe;
	b=c9To0DQwD8LSgBuxA88yDbHXqDD0SHtJs57b6zerWrTZBa8+Na80LtR6M1KmFH3V/
	 EedMI4WBzq2HzAONRU9+s2rWugB1Y8McQ8XJg9L6mMudKWAMEPIIRSWWfhi79sfJHb
	 RjdFQmNBBcr0X5uIsECPmPudGdvoQBeW6k52TB8YMfs1cYWypr8Jn4g3OLoRQ1lHdR
	 hNuWpKdgZJNIsYEecF2LyOAdlHLoAs7A/Li9eYY47UhaaW67WujNgaNQTn58IO7NN4
	 bPgZ4/kI2k3b+zwHKXjUQlhhwsdyL4DA3G4Dv31+ol3Eve9YZ3dffv3LWuvGrjyZs0
	 BBS2JhosP21SCgF76+FYLxIo68wCNqSnApRRstwNJ3DWAWvcK4GAPctDuh4K9LnUpV
	 o8mnpL2g1MDb5KdUWtu3Ga4SkWH1r8SN7Ux/w4sE26fmk3Z/9GcjRHFHD+s1DpGPgH
	 hf9KeNkRTe822fCOwwcZuf5GcwwIad2eUuPNyrnn/A7xSl+Tgb5g740xDklWyea0G4
	 Ob0sGYO4VjCgk9uDHcvNEvhJVwNJOHJMqSiW4JvmYMvJwPSe4krun4t2sjNOMcL14A
	 Wshr3xw42QDV4J5gFFMtKWvusjlZdbseGNPTx27urtdx1YifYuneEgj1GzvGbIbYqr
	 dJsVZAjyuqComEcHEIzMQvEA=
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
	by luna.archlinux.org (Postfix) with ESMTP id 850D42BE54;
	Thu, 30 Jan 2020 13:05:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org;
	s=luna2; t=1580389514;
	bh=7hpnwQ69LhJtXWPy9JRdzKBn7cLzPYK0e5YJzjOEpTw=;
	h=From:To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:
	 List-Post:List-Help:List-Subscribe;
	b=RCRUx9sHZatjxMTZF7O+F07KUs9ML05cBGfCXjfqWY5XNbB9SCoKTxiTNj37wkVc2
	 UAVa7tDi3zksoAdEcFFQCm8BX7XoS4HHyrTdRX31oZxshN583CJvez/vEmGbOqZtko
	 a/WMcKKgK91Zniip7dJ5dM6WtDob71znMy3613qVmjEYHwgTIg95dgjAlgAuJbbQ4i
	 uYjMViyMmdnRHUdIw0oy6ddxyatkhcSBWQhCirSEnA+57ahkU2vT88jChMyRph44bi
	 XCh5kp0MvN0HWCRwd2DwS8jhIuvJsr76kM5tq6/BvcUIYCdmG99G+pQQlgV5Ne7udd
	 HLQhvz7iFS1JQlgQU0oyTKoPy5hXC2QOQWnMksg5lwLC0gwSE44VVQoBK7Wui8adET
	 ChJS/DaNPkbbCmHrnfKqS7HlvzdN1wrg7bxPXij6OyRVAtXWn3t6om9bunbuhrh+Dv
	 sLL+BVeU40iiLn9bgX32NZhCDgYRwNYJSNoxWTx71JYdopA81fKgTn5ZYhrtMmyttN
	 31E1HB/M7/+rv473Dnutsqp2aA6h+jBn8/UuXZKEJBc9akz7XfRT82IHG9R3bsM7oz
	 PYoWkBBvQlTXqyYGha+5dG+C53J4asmSJn5ePuCgeCSfVu3Eb0i0JVqxKVPQILEQ9u
	 r6g2ptobthvW2hXrt4RnIRxA=
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
 by luna.archlinux.org (Postfix) with ESMTP id CA4CC2BE52
 for <aur-dev@lists.archlinux.org>; Thu, 30 Jan 2020 13:05:11 +0000 (UTC)
Received: from orion.archlinux.org (orion.archlinux.org [88.198.91.70])
 by luna.archlinux.org (Postfix) with ESMTPS
 for <aur-dev@lists.archlinux.org>; Thu, 30 Jan 2020 13:05:11 +0000 (UTC)
Received: from orion.archlinux.org (localhost [127.0.0.1])
 by orion.archlinux.org (Postfix) with ESMTP id D02A71884DB378
 for <aur-dev@lists.archlinux.org>; Thu, 30 Jan 2020 13:05:00 +0000 (UTC)
Received: from localhost (unknown
 [IPv6:2a02:8070:24e4:b800:b66b:fcff:fe3e:6273])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested)
 (Authenticated sender: lfleischer)
 by orion.archlinux.org (Postfix) with ESMTPSA id A47D41884DB377
 for <aur-dev@archlinux.org>; Thu, 30 Jan 2020 13:05:00 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org;
 s=orion; t=1580389500;
 bh=7hpnwQ69LhJtXWPy9JRdzKBn7cLzPYK0e5YJzjOEpTw=;
 h=From:To:Subject:Date;
 b=wDpomiFoYDMqglqn2fJlOFuh3NdoC9ZK4eqtuLxaf7n8jJCQCG6WvvjedFEUV/nkq
 6m5uOFEOkk7IY2FaDvHRh9G4OFpauWFWUkZ2yNStnTJcZ3/SEg78vHOy+kXruQlsKb
 R68Zi2J5sSNCUnPBXu34YxYUtQJ2GYzVKM3BylwkOwuhW0WFd6KtjplDYZaVqH/1Ft
 hj3L5lnlzZ7S32MVpHJvxpTvvrQUDEiceMhgNbjTxdEoTmoTVO9LtVU/hCBJD8JgZS
 34dbG2PmKMm57jatr2jTES10a+j5tcGKLyw8rdT9Fum+DO9GzFXNr2fOLOz3PSPSEA
 iXBG3NCq7r1LnvVTq0pja7PAfR46Ef5zp9ewtalgaE7VjnP9wFlz7FPY3cpRFVsA9w
 vhKN3IrLf+rpPPUXQx/oVUkuTfM/T4Fi6zw10seoBlaHZBxbIb1eR8i6ZnrrC3DgpD
 Xhs+uC7wLsDcvM0Ze2J7Rfcn8eIqTRTLTm327QO6JDLy7lyv/5wOPlynZHstBS22v1
 6GYkuXt3NiTbBhqBauNYc813q1cIhP6BG0neZoqDQP7s3OqmyZasznGZyRbILsdRX4
 TYxudQ4lttv3qHHNJqVdK+Xzdjd6zgVjkJ9P3mAUqOZVDsb8u0l9v+sUax7orCe4TX
 9KcTYICyxPsHkp0j0DJmHmJI=
From: Lukas Fleischer <lfleischer@archlinux.org>
To: aur-dev@archlinux.org
Subject: [PATCH] Require password when changing account information
Date: Thu, 30 Jan 2020 14:05:07 +0100
Message-Id: <20200130130507.32002-1-lfleischer@archlinux.org>
X-Mailer: git-send-email 2.25.0
MIME-Version: 1.0
X-BeenThere: aur-dev@archlinux.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Arch User Repository \(AUR\) Development" <aur-dev.archlinux.org>
List-Unsubscribe: <https://lists.archlinux.org/options/aur-dev>,
 <mailto:aur-dev-request@archlinux.org?subject=unsubscribe>
List-Archive: <https://lists.archlinux.org/pipermail/aur-dev/>
List-Post: <mailto:aur-dev@archlinux.org>
List-Help: <mailto:aur-dev-request@archlinux.org?subject=help>
List-Subscribe: <https://lists.archlinux.org/listinfo/aur-dev>,
 <mailto:aur-dev-request@archlinux.org?subject=subscribe>
Errors-To: aur-dev-bounces@archlinux.org
Sender: "aur-dev" <aur-dev-bounces@archlinux.org>

Since commits daee20c (Require current password when setting a new one,
2020-01-30) and 8fc8898 (Require password when deleting an account,
2020-01-30), changing a password and deleting an account require the
current password. Extend this to all other profile changes.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
---
 web/html/account.php               |  5 +++--
 web/html/register.php              |  4 ++--
 web/lib/acctfuncs.inc.php          | 19 +++++++------------
 web/template/account_edit_form.php | 17 +++++++++--------
 4 files changed, 21 insertions(+), 24 deletions(-)

diff --git a/web/html/account.php b/web/html/account.php
index 03af8d4..ff9aba5 100644
--- a/web/html/account.php
+++ b/web/html/account.php
@@ -34,7 +34,6 @@ if ($action == "UpdateAccount") {
 			in_request("S"),
 			in_request("E"),
 			in_request("H"),
-			in_request("PO"),
 			in_request("P"),
 			in_request("C"),
 			in_request("R"),
@@ -49,7 +48,9 @@ if ($action == "UpdateAccount") {
 			in_request("UN"),
 			in_request("ON"),
 			in_request("ID"),
-			$row["Username"]);
+			$row["Username"],
+			in_request("passwd")
+		);
 	}
 }
 
diff --git a/web/html/register.php b/web/html/register.php
index 8174e34..610befc 100644
--- a/web/html/register.php
+++ b/web/html/register.php
@@ -26,7 +26,6 @@ if (in_request("Action") == "NewAccount") {
 		in_request("H"),
 		'',
 		'',
-		'',
 		in_request("R"),
 		in_request("L"),
 		in_request("TZ"),
@@ -40,6 +39,7 @@ if (in_request("Action") == "NewAccount") {
 		in_request("ON"),
 		0,
 		"",
+		'',
 		in_request("captcha_salt"),
 		in_request("captcha"),
 	);
@@ -55,7 +55,6 @@ if (in_request("Action") == "NewAccount") {
 			in_request("H"),
 			'',
 			'',
-			'',
 			in_request("R"),
 			in_request("L"),
 			in_request("TZ"),
@@ -69,6 +68,7 @@ if (in_request("Action") == "NewAccount") {
 			in_request("ON"),
 			0,
 			"",
+			'',
 			in_request("captcha_salt"),
 			in_request("captcha")
 		);
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index d2144c2..345d27a 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -96,7 +96,6 @@ function display_account_form($A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",$R=""
  * @param string $S Whether or not the account is suspended
  * @param string $E The e-mail address for the user
  * @param string $H Whether or not the e-mail address should be hidden
- * @param string $PO The old password of the user
  * @param string $P The password for the user
  * @param string $C The confirmed password for the user
  * @param string $R The real name of the user
@@ -112,13 +111,14 @@ function display_account_form($A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",$R=""
  * @param string $ON Whether to notify of ownership changes
  * @param string $UID The user ID of the modified account
  * @param string $N The username as present in the database
+ * @param string $passwd The password of the logged in user.
  * @param string $captcha_salt The salt used for the CAPTCHA.
  * @param string $captcha The CAPTCHA answer.
  *
  * @return array Boolean indicating success and message to be printed
  */
-function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P="",$C="",
-		$R="",$L="",$TZ="",$HP="",$I="",$K="",$PK="",$J="",$CN="",$UN="",$ON="",$UID=0,$N="",$captcha_salt="",$captcha="") {
+function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",
+		$R="",$L="",$TZ="",$HP="",$I="",$K="",$PK="",$J="",$CN="",$UN="",$ON="",$UID=0,$N="",$passwd="",$captcha_salt="",$captcha="") {
 	global $SUPPORTED_LANGS;
 
 	$error = '';
@@ -133,10 +133,11 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P="
 
 	$dbh = DB::connect();
 
-	if(isset($_COOKIE['AURSID'])) {
+	if (isset($_COOKIE['AURSID'])) {
 		$uid_session = uid_from_sid($_COOKIE['AURSID']);
-	} else {
-		$uid_session = null;
+		if (!$error && check_passwd($uid_session, $passwd) != 1) {
+			$error = __("Invalid password.");
+		}
 	}
 
 	if (empty($E) || empty($U)) {
@@ -162,15 +163,9 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P="
 	if (!$error && $P && !$C) {
 		$error = __("Please confirm your new password.");
 	}
-	if (!$error && $P && !$PO) {
-		$error = __("Please enter your old password in order to set a new one.");
-	}
 	if (!$error && $P && $P != $C) {
 		$error = __("Password fields do not match.");
 	}
-	if (!$error && $P && check_passwd($uid_session, $PO) != 1) {
-		$error = __("The old password is invalid.");
-	}
 	if (!$error && $P != '' && !good_passwd($P)) {
 		$length_min = config_get_int('options', 'passwd_min_len');
 		$error = __("Your password must be at least %s characters.",
diff --git a/web/template/account_edit_form.php b/web/template/account_edit_form.php
index 7bd233a..09d65c0 100644
--- a/web/template/account_edit_form.php
+++ b/web/template/account_edit_form.php
@@ -140,12 +140,7 @@
 
 	<?php if ($A == "UpdateAccount"): ?>
 	<fieldset>
-		<legend><?= __("If you want to change the password, enter your current passport, the new password and confirm the new password by entering it again.") ?></legend>
-		<p>
-			<label for="id_passwd_old"><?= __("Your current password") ?>:</label>
-			<input type="password" size="30" name="PO" id="id_passwd_old" value="<?= $PO ?>" />
-		</p>
-
+		<legend><?= __("If you want to change the password, enter a new password and confirm the new password by entering it again.") ?></legend>
 		<p>
 			<label for="id_passwd1"><?= __("Password") ?>:</label>
 			<input type="password" size="30" name="P" id="id_passwd1" value="<?= $P ?>" />
@@ -182,16 +177,22 @@
 		</p>
 	</fieldset>
 
-	<?php if ($A != "UpdateAccount"): ?>
 	<fieldset>
+	<?php if ($A == "UpdateAccount"): ?>
+		<legend><?= __("To confirm the profile changes, please enter your current password:") ?></legend>
+		<p>
+			<label for="id_passwd_current"><?= __("Your current password") ?>:</label>
+			<input type="password" size="30" name="passwd" id="id_passwd_current" value="" />
+		</p>
+	<?php else: ?>
 		<legend><?= __("To protect the AUR against automated account creation, we kindly ask you to provide the output of the following command:") ?> <code><?= htmlspecialchars($captcha_challenge) ?></code></legend>
 		<p>
 			<label for="id_captcha"><?= __("Answer") ?>:</label>
 			<input type="text" size="30" maxlength="6" name="captcha" id="id_captcha" value="<?= htmlspecialchars($captcha, ENT_QUOTES) ?>" /> (<?= __("required") ?>)
 			<input type="hidden" name="captcha_salt" value="<?= htmlspecialchars($captcha_salt) ?>" />
 		</p>
-	</fieldset>
 	<?php endif; ?>
+	</fieldset>
 
 	<fieldset>
 		<p>