add session token check to password change

darcs-hash:20080829014515-84dde-bce51f66ba0b3b4347a55a70b2b266b72c242304.gz
This commit is contained in:
Evan Prodromou 2008-08-28 21:45:15 -04:00
parent cf3902d8ac
commit ff566a149d

View File

@ -30,10 +30,12 @@ class PasswordAction extends SettingsAction {
function show_form($msg=NULL, $success=false) { function show_form($msg=NULL, $success=false) {
$user = common_current_user(); $user = common_current_user();
$this->form_header(_('Change password'), $msg, $success); $this->form_header(_('Change password'), $msg, $success);
$token = common_session_token();
common_element_start('form', array('method' => 'post', common_element_start('form', array('method' => 'post',
'id' => 'password', 'id' => 'password',
'action' => 'action' =>
common_local_url('password'))); common_local_url('password')));
common_hidden('token', $token);
# Users who logged in with OpenID won't have a pwd # Users who logged in with OpenID won't have a pwd
if ($user->password) { if ($user->password) {
common_password('oldpassword', _('Old password')); common_password('oldpassword', _('Old password'));
@ -56,8 +58,11 @@ class PasswordAction extends SettingsAction {
$newpassword = $this->arg('newpassword'); $newpassword = $this->arg('newpassword');
$confirm = $this->arg('confirm'); $confirm = $this->arg('confirm');
$token = $this->arg('token');
if (0 != strcmp($newpassword, $confirm)) {
if (!$token || $token != common_session_token()) {
$this->show_form(_('There was a problem with your session token. Try again, please.'));
} else if (0 != strcmp($newpassword, $confirm)) {
$this->show_form(_('Passwords don\'t match.')); $this->show_form(_('Passwords don\'t match.'));
return; return;
} }