Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-26 16:46:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: improper targetUid check during password change

Browse Source
This commit is contained in:
Julian Lam
2020-08-12 13:23:58 -04:00
parent 28970b030d
commit c2477d9d5f
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/user/profile.js
View File

@@ -280,13 +280,18 @@ module.exports = function (User) {
} }
let isAdminOrPasswordMatch = false; let isAdminOrPasswordMatch = false;
const isSelf = parseInt(uid, 10) === parseInt(data.uid, 10); const isSelf = parseInt(uid, 10) === parseInt(data.uid, 10);
if (!isAdmin && !isSelf) {
throw new Error('[[user:change_password_error_privileges]]');
}
if ( if (
(isAdmin && !isSelf) || // Admins ok (isAdmin && !isSelf) || // Admins ok
(!hasPassword && isSelf) // Initial password set ok (!hasPassword && isSelf) // Initial password set ok
) { ) {
isAdminOrPasswordMatch = true; isAdminOrPasswordMatch = true;
} else { } else {
isAdminOrPasswordMatch = await User.isPasswordCorrect(uid, data.currentPassword, data.ip); isAdminOrPasswordMatch = await User.isPasswordCorrect(data.uid, data.currentPassword, data.ip);
} }
if (!isAdminOrPasswordMatch) { if (!isAdminOrPasswordMatch) {