Enforce password check on email change

Updated route handler to enforce current password check on all account details.
2024-12-22 14:40:00 +00:00 · 2017-05-17 05:10:25 +08:00 · 2017-05-17 05:10:25 +08:00 · 1fb249be35
parent eedc6c170d
commit 1fb249be35
1 changed files with 6 additions and 1 deletions
--- a/nyaa/routes.py
+++ b/nyaa/routes.py
@ -403,6 +403,11 @@ def profile():
        new_password = form.new_password.data

        if new_email:
+            # enforce password check on email change too
+            if form.current_password.data != user.password_hash:
+                flask.flash(flask.Markup(
+                    '<strong>Email change failed!</strong> Incorrect password.'), 'danger')
+                return flask.redirect('/profile')
            user.email = form.email.data

        if new_password: