fix: #8515, fix login redirect on subfolder

install/package.json

@@ -2,7 +2,7 @@
     "name": "nodebb",
     "license": "GPL-3.0",
     "description": "NodeBB Forum",
-    "version": "1.14.2-beta.1",
+    "version": "1.14.3",
     "homepage": "http://www.nodebb.org",
     "repository": {
         "type": "git",
@@ -89,7 +89,7 @@
         "nodebb-plugin-soundpack-default": "1.0.0",
         "nodebb-plugin-spam-be-gone": "0.7.2",
         "nodebb-rewards-essentials": "0.1.3",
-        "nodebb-theme-lavender": "5.0.11",
+        "nodebb-theme-lavender": "5.1.0",
         "nodebb-theme-persona": "10.1.65",
         "nodebb-theme-slick": "1.2.29",
         "nodebb-theme-vanilla": "11.1.33",

src/controllers/authentication.js

@@ -264,7 +264,9 @@ function continueLogin(req, res, next) {
 			await authenticationController.doLogin(req, userData.uid);
 			var destination;
 			if (req.session.returnTo) {
-				destination = req.session.returnTo;
+				destination = req.session.returnTo.startsWith('http') ?
+					req.session.returnTo :
+					nconf.get('relative_path') + req.session.returnTo;
 				delete req.session.returnTo;
 			} else {
 				destination = nconf.get('relative_path') + '/';

src/user/profile.js

@@ -280,13 +280,18 @@ module.exports = function (User) {
 		}
 		let isAdminOrPasswordMatch = false;
 		const isSelf = parseInt(uid, 10) === parseInt(data.uid, 10);
+
+		if (!isAdmin && !isSelf) {
+			throw new Error('[[user:change_password_error_privileges]]');
+		}
+
 		if (
 			(isAdmin && !isSelf) || // Admins ok
 			(!hasPassword && isSelf)	// Initial password set ok
 		) {
 			isAdminOrPasswordMatch = true;
 		} else {
-			isAdminOrPasswordMatch = await User.isPasswordCorrect(uid, data.currentPassword, data.ip);
+			isAdminOrPasswordMatch = await User.isPasswordCorrect(data.uid, data.currentPassword, data.ip);
 		}
 
 		if (!isAdminOrPasswordMatch) {

test/user.js

@@ -816,6 +816,42 @@ describe('User', function () {
 			});
 		});
 
+		it('should not let user change another user\'s password', async function () {
+			const regularUserUid = await User.create({ username: 'regularuserpwdchange', password: 'regularuser1234' });
+			const uid = await User.create({ username: 'changeadminpwd1', password: '123456' });
+			let err;
+			try {
+				await socketUser.changePassword({ uid: uid }, { uid: regularUserUid, newPassword: '654321', currentPassword: '123456' });
+			} catch (_err) {
+				err = _err;
+			}
+			assert.equal(err.message, '[[user:change_password_error_privileges]]');
+		});
+
+		it('should not let user change admin\'s password', async function () {
+			const adminUid = await User.create({ username: 'adminpwdchange', password: 'admin1234' });
+			await groups.join('administrators', adminUid);
+			const uid = await User.create({ username: 'changeadminpwd2', password: '123456' });
+
+			let err;
+			try {
+				await socketUser.changePassword({ uid: uid }, { uid: adminUid, newPassword: '654321', currentPassword: '123456' });
+			} catch (_err) {
+				err = _err;
+			}
+			assert.equal(err.message, '[[user:change_password_error_privileges]]');
+		});
+
+		it('should let admin change another users password', async function () {
+			const adminUid = await User.create({ username: 'adminpwdchange2', password: 'admin1234' });
+			await groups.join('administrators', adminUid);
+			const uid = await User.create({ username: 'forgotmypassword', password: '123456' });
+
+			await socketUser.changePassword({ uid: adminUid }, { uid: uid, newPassword: '654321' });
+			const correct = await User.isPasswordCorrect(uid, '654321', '127.0.0.1');
+			assert(correct);
+		});
+
 		it('should change username', function (done) {
 			socketUser.changeUsernameEmail({ uid: uid }, { uid: uid, username: 'updatedAgain', password: '123456' }, function (err) {
 				assert.ifError(err);