From 4b3ee0bfd13c1940f4eac7c2e4fb237fda37a9a1 Mon Sep 17 00:00:00 2001 From: Nico Hoffmann Date: Tue, 4 Feb 2025 19:03:18 +0100 Subject: [PATCH] Always check current password of current user --- config/areas/users/dialogs.php | 51 +++++++++++++--------------------- i18n/translations/en.json | 2 +- 2 files changed, 21 insertions(+), 32 deletions(-) diff --git a/config/areas/users/dialogs.php b/config/areas/users/dialogs.php index c873299aaf..20466564bc 100644 --- a/config/areas/users/dialogs.php +++ b/config/areas/users/dialogs.php @@ -181,29 +181,22 @@ 'user.changePassword' => [ 'pattern' => 'users/(:any)/changePassword', 'load' => function (string $id) { - $user = Find::user($id); - $fields = [ - 'password' => Field::password([ - 'label' => I18n::translate('user.changePassword.new'), - ]), - 'passwordConfirmation' => Field::password([ - 'label' => I18n::translate('user.changePassword.new.confirm'), - ]) - ]; - - if ($user->is($user->kirby()->user()) === true) { - $fields = [ - 'currentPassword' => Field::password([ - 'label' => I18n::translate('user.changePassword.current'), - ]), - ...$fields - ]; - } + Find::user($id); return [ 'component' => 'k-form-dialog', 'props' => [ - 'fields' => $fields, + 'fields' => [ + 'currentPassword' => Field::password([ + 'label' => I18n::translate('user.changePassword.current'), + ]), + 'password' => Field::password([ + 'label' => I18n::translate('user.changePassword.new'), + ]), + 'passwordConfirmation' => Field::password([ + 'label' => I18n::translate('user.changePassword.new.confirm'), + ]) + ], 'submitButton' => I18n::translate('change'), ] ]; @@ -213,23 +206,19 @@ $request = $kirby->request(); $user = Find::user($id); + $currentPassword = $request->get('currentPassword'); $password = $request->get('password'); $passwordConfirmation = $request->get('passwordConfirmation'); - // validate the current password, - // if current user is changing their own password - if ($user->is($kirby->user()) === true) { - $currentPassword = $request->get('currentPassword'); - + // validate the current password of the acting user + try { + $kirby->user()->validatePassword($currentPassword); + } catch (Exception) { // catching and re-throwing exception to avoid automatic // sign-out of current user from the Panel - try { - $user->validatePassword($currentPassword); - } catch (Exception) { - throw new InvalidArgumentException([ - 'key' => 'user.password.wrong' - ]); - } + throw new InvalidArgumentException([ + 'key' => 'user.password.wrong' + ]); } // validate the new password diff --git a/i18n/translations/en.json b/i18n/translations/en.json index e776287f7a..32638387e3 100644 --- a/i18n/translations/en.json +++ b/i18n/translations/en.json @@ -714,7 +714,7 @@ "user.changeLanguage": "Change language", "user.changeName": "Rename this user", "user.changePassword": "Change password", - "user.changePassword.current": "Current password", + "user.changePassword.current": "Your current password", "user.changePassword.new": "New password", "user.changePassword.new.confirm": "Confirm the new password…", "user.changeRole": "Change role",