Add a requirement for the current password to change the user's password or email address

2014-09-03 15:41:25 -04:00 · 2014-09-03 15:41:25 -04:00 · 1e7e012b92
commit 1e7e012b92
parent 6c60e078fc
5 changed files with 55 additions and 8 deletions
--- a/endpoints/api/user.py
+++ b/endpoints/api/user.py
@ -117,6 +117,10 @@ class User(ApiResource):
      'type': 'object',
      'description': 'Fields which can be updated in a user.',
      'properties': {
+        'current_password': {
+          'type': 'string',
+          'description': 'The user\'s current password',
+        },
        'password': {
          'type': 'string',
          'description': 'The user\'s password',
@ -152,8 +156,22 @@ class User(ApiResource):
    user = get_authenticated_user()
    user_data = request.get_json()

-    try:
+    def verify_current_password(user, user_data):
+      current_password = user_data.get('current_password', '')
+
+      verified = False
+      try:
+        verified = model.verify_user(user.username, current_password)
+      except:
+        pass
+
+      if not verified:
+        raise request_error(message='Current password does not match')      
+
+    try:     
      if 'password' in user_data:
+        verify_current_password(user, user_data)
+
        logger.debug('Changing password for user: %s', user.username)
        log_action('account_change_password', user.username)
        model.change_password(user, user_data['password'])
@ -163,6 +181,8 @@ class User(ApiResource):
        model.change_invoice_email(user, user_data['invoice_email'])

      if 'email' in user_data and user_data['email'] != user.email:
+        verify_current_password(user, user_data)
+
        new_email = user_data['email']
        if model.find_user_by_email(new_email):
          # Email already used.