external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 09:43:03 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Require password when deleting an account

Browse source 
Further reduce the attack surface in case of a stolen session ID.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
This commit is contained in:
Lukas Fleischer 2020-01-30 11:52:32 +01:00
parent 7aa420d24d
commit 8fc8898fef
2 changed files with 22 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

17
web/html/account.php
View file

@ -120,12 +120,21 @@ if (isset($_COOKIE["AURSID"])) {
} elseif ($action == "DeleteAccount") {
/* Details for account being deleted. */
if (can_edit_account($row)) {
$UID = $row['ID'];
$uid_removal = $row['ID'];
$uid_session = uid_from_sid($_COOKIE['AURSID']);
$username = $row['Username'];
if (in_request('confirm') && check_token()) {
user_delete($UID);
header('Location: /');
if (check_passwd($uid_session, $_REQUEST['passwd']) == 1) {
user_delete($uid_removal);
header('Location: /');
} else {
echo "<ul class='errorlist'><li>";
echo __("Invalid password.");
echo "</li></ul>";
include("account_delete.php");
}
} else {
$username = $row['Username'];
include("account_delete.php");
}
} else {