Require password when changing account information

Since commits daee20c (Require current password when setting a new one,
2020-01-30) and 8fc8898 (Require password when deleting an account,
2020-01-30), changing a password and deleting an account require the
current password. Extend this to all other profile changes.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

web/html/account.php

@@ -34,7 +34,6 @@ if ($action == "UpdateAccount") {
 			in_request("S"),
 			in_request("E"),
 			in_request("H"),
-			in_request("PO"),
 			in_request("P"),
 			in_request("C"),
 			in_request("R"),
@@ -49,7 +48,9 @@ if ($action == "UpdateAccount") {
 			in_request("UN"),
 			in_request("ON"),
 			in_request("ID"),
-			$row["Username"]);
+			$row["Username"],
+			in_request("passwd")
+		);
 	}
 }
 

web/html/register.php

@@ -26,7 +26,6 @@ if (in_request("Action") == "NewAccount") {
 		in_request("H"),
 		'',
 		'',
-		'',
 		in_request("R"),
 		in_request("L"),
 		in_request("TZ"),
@@ -40,6 +39,7 @@ if (in_request("Action") == "NewAccount") {
 		in_request("ON"),
 		0,
 		"",
+		'',
 		in_request("captcha_salt"),
 		in_request("captcha"),
 	);
@@ -55,7 +55,6 @@ if (in_request("Action") == "NewAccount") {
 			in_request("H"),
 			'',
 			'',
-			'',
 			in_request("R"),
 			in_request("L"),
 			in_request("TZ"),
@@ -69,6 +68,7 @@ if (in_request("Action") == "NewAccount") {
 			in_request("ON"),
 			0,
 			"",
+			'',
 			in_request("captcha_salt"),
 			in_request("captcha")
 		);

web/lib/acctfuncs.inc.php

@@ -96,7 +96,6 @@ function display_account_form($A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",$R=""
  * @param string $S Whether or not the account is suspended
  * @param string $E The e-mail address for the user
  * @param string $H Whether or not the e-mail address should be hidden
- * @param string $PO The old password of the user
  * @param string $P The password for the user
  * @param string $C The confirmed password for the user
  * @param string $R The real name of the user
@@ -112,13 +111,14 @@ function display_account_form($A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",$R=""
  * @param string $ON Whether to notify of ownership changes
  * @param string $UID The user ID of the modified account
  * @param string $N The username as present in the database
+ * @param string $passwd The password of the logged in user.
  * @param string $captcha_salt The salt used for the CAPTCHA.
  * @param string $captcha The CAPTCHA answer.
  *
  * @return array Boolean indicating success and message to be printed
  */
-function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P="",$C="",
+function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",
-		$R="",$L="",$TZ="",$HP="",$I="",$K="",$PK="",$J="",$CN="",$UN="",$ON="",$UID=0,$N="",$captcha_salt="",$captcha="") {
+		$R="",$L="",$TZ="",$HP="",$I="",$K="",$PK="",$J="",$CN="",$UN="",$ON="",$UID=0,$N="",$passwd="",$captcha_salt="",$captcha="") {
 	global $SUPPORTED_LANGS;
 
 	$error = '';
@@ -133,10 +133,11 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P="
 
 	$dbh = DB::connect();
 
-	if(isset($_COOKIE['AURSID'])) {
+	if (isset($_COOKIE['AURSID'])) {
 		$uid_session = uid_from_sid($_COOKIE['AURSID']);
-	} else {
+		if (!$error && check_passwd($uid_session, $passwd) != 1) {
-		$uid_session = null;
+			$error = __("Invalid password.");
+		}
 	}
 
 	if (empty($E) || empty($U)) {
@@ -162,15 +163,9 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P="
 	if (!$error && $P && !$C) {
 		$error = __("Please confirm your new password.");
 	}
-	if (!$error && $P && !$PO) {
-		$error = __("Please enter your old password in order to set a new one.");
-	}
 	if (!$error && $P && $P != $C) {
 		$error = __("Password fields do not match.");
 	}
-	if (!$error && $P && check_passwd($uid_session, $PO) != 1) {
-		$error = __("The old password is invalid.");
-	}
 	if (!$error && $P != '' && !good_passwd($P)) {
 		$length_min = config_get_int('options', 'passwd_min_len');
 		$error = __("Your password must be at least %s characters.",

web/template/account_edit_form.php

@@ -140,12 +140,7 @@
 
 	<?php if ($A == "UpdateAccount"): ?>
 	<fieldset>
-		<legend><?= __("If you want to change the password, enter your current passport, the new password and confirm the new password by entering it again.") ?></legend>
+		<legend><?= __("If you want to change the password, enter a new password and confirm the new password by entering it again.") ?></legend>
-		<p>
-			<label for="id_passwd_old"><?= __("Your current password") ?>:</label>
-			<input type="password" size="30" name="PO" id="id_passwd_old" value="<?= $PO ?>" />
-		</p>
-
 		<p>
 			<label for="id_passwd1"><?= __("Password") ?>:</label>
 			<input type="password" size="30" name="P" id="id_passwd1" value="<?= $P ?>" />
@@ -182,16 +177,22 @@
 		</p>
 	</fieldset>
 
-	<?php if ($A != "UpdateAccount"): ?>
 	<fieldset>
+	<?php if ($A == "UpdateAccount"): ?>
+		<legend><?= __("To confirm the profile changes, please enter your current password:") ?></legend>
+		<p>
+			<label for="id_passwd_current"><?= __("Your current password") ?>:</label>
+			<input type="password" size="30" name="passwd" id="id_passwd_current" value="" />
+		</p>
+	<?php else: ?>
 		<legend><?= __("To protect the AUR against automated account creation, we kindly ask you to provide the output of the following command:") ?> <code><?= htmlspecialchars($captcha_challenge) ?></code></legend>
 		<p>
 			<label for="id_captcha"><?= __("Answer") ?>:</label>
 			<input type="text" size="30" maxlength="6" name="captcha" id="id_captcha" value="<?= htmlspecialchars($captcha, ENT_QUOTES) ?>" /> (<?= __("required") ?>)
 			<input type="hidden" name="captcha_salt" value="<?= htmlspecialchars($captcha_salt) ?>" />
 		</p>
-	</fieldset>
 	<?php endif; ?>
+	</fieldset>
 
 	<fieldset>
 		<p>