From 1fb249be351147a50ebc151371a42070f580dac6 Mon Sep 17 00:00:00 2001 From: UnKnoWn Date: Wed, 17 May 2017 05:10:25 +0800 Subject: [PATCH] Enforce password check on email change Updated route handler to enforce current password check on all account details. --- nyaa/routes.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/nyaa/routes.py b/nyaa/routes.py index dbf8123..30b3135 100644 --- a/nyaa/routes.py +++ b/nyaa/routes.py @@ -403,6 +403,11 @@ def profile(): new_password = form.new_password.data if new_email: + # enforce password check on email change too + if form.current_password.data != user.password_hash: + flask.flash(flask.Markup( + 'Email change failed! Incorrect password.'), 'danger') + return flask.redirect('/profile') user.email = form.email.data if new_password: @@ -624,4 +629,4 @@ def site_help(): @app.route('/api/upload', methods = ['POST']) def api_upload(): api_response = api_handler.api_upload(flask.request) - return api_response \ No newline at end of file + return api_response