Enforce password check on email change

Updated route handler to enforce current password check on all account details.
6 years ago · 1fb249be35
parent eedc6c170d
commit 1fb249be35
1 changed files with 6 additions and 1 deletions
--- a/nyaa/routes.py
+++ b/nyaa/routes.py
@ -403,6 +403,11 @@ def profile():
        new_password = form.new_password.data

        if new_email:
+            # enforce password check on email change too
+            if form.current_password.data != user.password_hash:
+                flask.flash(flask.Markup(
+                    '<strong>Email change failed!</strong> Incorrect password.'), 'danger')
+                return flask.redirect('/profile')
            user.email = form.email.data

        if new_password:
@ -624,4 +629,4 @@ def site_help():
@app.route('/api/upload', methods = ['POST'])
 def api_upload():
    api_response = api_handler.api_upload(flask.request)
-    return api_response
+    return api_response