[geeklog-cvs] geeklog: The user's current password is no longer available in $...

geeklog-cvs at lists.geeklog.net geeklog-cvs at lists.geeklog.net
Sun May 17 04:30:11 EDT 2009


details:   http://project.geeklog.net/cgi-bin/hgweb.cgi/rev/14e4943af5e4
changeset: 7030:14e4943af5e4
user:      Dirk Haun <dirk at haun-online.de>
date:      Sun May 17 10:28:44 2009 +0200
description:
The user's current password is no longer available in $_USER, so changing the password or deleting an account no longer worked (reported by Tom Homer)

diffstat:

2 files changed, 11 insertions(+), 5 deletions(-)
public_html/docs/history     |    4 +++-
public_html/usersettings.php |   12 ++++++++----

diffs (61 lines):

diff -r 99e5a429c202 -r 14e4943af5e4 public_html/docs/history
--- a/public_html/docs/history	Sun May 17 10:05:01 2009 +0200
+++ b/public_html/docs/history	Sun May 17 10:28:44 2009 +0200
@@ -11,7 +11,9 @@
 + Comment moderation and editable comments, by Jared Wenerd
 
 Other changes:
-- Fixed plugin postinstall from the install script
+- Users couldn't change their password or delete their account (reported by
+  Tom Homer) [Dirk]
+- Fixed plugin postinstall from the install script [Dirk]
 - Made COM_createImage recognize https:// URLs (bug #0000881) [Dirk]
 - Fixed notices in the config class (reported by tgc and others) [Dirk]
 - Fixed empty entries in the "Type" dropdown on the Advanced Search page.
diff -r 99e5a429c202 -r 14e4943af5e4 public_html/usersettings.php
--- a/public_html/usersettings.php	Sun May 17 10:05:01 2009 +0200
+++ b/public_html/usersettings.php	Sun May 17 10:28:44 2009 +0200
@@ -265,8 +265,10 @@
 
     // to change the password, email address, or cookie timeout,
     // we need the user's current password
+    $current_password = DB_getItem($_TABLES['users'], 'passwd',
+                                   "uid = {$_USER['uid']}");
     if (empty($_POST['old_passwd']) ||
-            (SEC_encryptPassword($_POST['old_passwd']) != $_USER['passwd'])) {
+            (SEC_encryptPassword($_POST['old_passwd']) != $current_password)) {
          return COM_refresh($_CONF['site_url']
                             . '/usersettings.php?msg=84');
     }
@@ -890,10 +892,12 @@
 
     // to change the password, email address, or cookie timeout,
     // we need the user's current password
+    $current_password = DB_getItem($_TABLES['users'], 'passwd',
+                                   "uid = {$_USER['uid']}");
     if (!empty ($A['passwd']) || ($A['email'] != $_USER['email']) ||
             ($A['cooktime'] != $_USER['cookietimeout'])) {
         if (empty($A['old_passwd']) ||
-                (SEC_encryptPassword($A['old_passwd']) != $_USER['passwd'])) {
+                (SEC_encryptPassword($A['old_passwd']) != $current_password)) {
 
             return COM_refresh ($_CONF['site_url']
                                 . '/usersettings.php?msg=83');
@@ -992,7 +996,7 @@
 
         if (!empty($A['passwd'])) {
             if (($A['passwd'] == $A['passwd_conf']) &&
-                    (SEC_encryptPassword($A['old_passwd']) == $_USER['passwd'])) {
+                    (SEC_encryptPassword($A['old_passwd']) == $current_password)) {
                 $passwd = SEC_encryptPassword($A['passwd']);
                 DB_change($_TABLES['users'], 'passwd', "$passwd",
                           "uid", $_USER['uid']);
@@ -1004,7 +1008,7 @@
                 setcookie($_CONF['cookie_password'], $passwd, time() + $cooktime,
                           $_CONF['cookie_path'], $_CONF['cookiedomain'],
                           $_CONF['cookiesecure']);
-            } elseif (SEC_encryptPassword($A['old_passwd']) != $_USER['passwd']) {
+            } elseif (SEC_encryptPassword($A['old_passwd']) != $current_password) {
                 return COM_refresh ($_CONF['site_url']
                                     . '/usersettings.php?msg=68');
             } elseif ($A['passwd'] != $A['passwd_conf']) {



More information about the geeklog-cvs mailing list