diff --git a/mo/web/acct.py b/mo/web/acct.py
index a90723018688e1c4e0b4aa3e198997534b970646..b15a62bef94a30c4d43358b40b68a4a5d4f95003 100644
--- a/mo/web/acct.py
+++ b/mo/web/acct.py
@@ -23,6 +23,7 @@ import mo.rights
import mo.tokens
import mo.users
import mo.util
+from mo.util import assert_not_none
from mo.web import app, NeedLoginError
import mo.web.fields as mo_fields
@@ -183,8 +184,11 @@ def user_settings_personal():
if not form.submit.data:
form.email.data = user.email
- if form.validate_on_submit():
- ok = True
+ def process_submit() -> bool:
+ if not mo.users.check_password(user, assert_not_none(form.current_passwd.data)):
+ flash('Nesouhlasí aktuální heslo.', 'danger')
+ return False
+
if form.new_passwd.data:
app.logger.info(f'Settings: Změněno heslo uživatele #{user.user_id}')
mo.users.set_password(user, form.new_passwd.data)
@@ -195,10 +199,12 @@ def user_settings_personal():
)
sess.commit()
flash('Heslo změněno.', 'success')
+
if form.email.data != user.email:
- if mo.users.user_by_email(form.email.data) is not None:
+ if mo.users.user_by_email(assert_not_none(form.email.data)) is not None:
+ # Tady prosakuje informace o existenci účtu, ale tu prozrazuje i login.
flash('Tuto e-mailovou adresu už používá jiný uživatel.', 'danger')
- ok = False
+ return False
else:
rr = mo.users.new_reg_request(db.RegReqType.change_email, request.remote_addr)
if rr:
@@ -212,9 +218,11 @@ def user_settings_personal():
else:
app.logger.info('Settings: Rate limit')
flash('Příliš mnoho požadavků na změny e-mailu. Počkejte prosím chvíli a zkuste to znovu.', 'danger')
- ok = False
- if ok:
- return redirect(url_for('user_settings'))
+ return False
+ return True
+
+ if form.validate_on_submit() and process_submit():
+ return redirect(url_for('user_settings'))
return render_template('settings_change.html', form=form)