From 9c4d16d4fa693af66580b5b3ec3bd7cde933a7c4 Mon Sep 17 00:00:00 2001
From: Martin Mares <mj@ucw.cz>
Date: Sat, 25 Jan 2025 11:35:57 +0100
Subject: [PATCH] =?UTF-8?q?Zm=C4=9Bna=20osobn=C3=ADch=20=C3=BAdaj=C5=AF=20?=
 =?UTF-8?q?zapom=C3=ADnala=20kontrolovat=20aktu=C3=A1ln=C3=AD=20heslo?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

*blush*
---
 mo/web/acct.py | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/mo/web/acct.py b/mo/web/acct.py
index a9072301..b15a62be 100644
--- a/mo/web/acct.py
+++ b/mo/web/acct.py
@@ -23,6 +23,7 @@ import mo.rights
 import mo.tokens
 import mo.users
 import mo.util
+from mo.util import assert_not_none
 from mo.web import app, NeedLoginError
 import mo.web.fields as mo_fields
 
@@ -183,8 +184,11 @@ def user_settings_personal():
     if not form.submit.data:
         form.email.data = user.email
 
-    if form.validate_on_submit():
-        ok = True
+    def process_submit() -> bool:
+        if not mo.users.check_password(user, assert_not_none(form.current_passwd.data)):
+            flash('Nesouhlasí aktuální heslo.', 'danger')
+            return False
+
         if form.new_passwd.data:
             app.logger.info(f'Settings: Změněno heslo uživatele #{user.user_id}')
             mo.users.set_password(user, form.new_passwd.data)
@@ -195,10 +199,12 @@ def user_settings_personal():
             )
             sess.commit()
             flash('Heslo změněno.', 'success')
+
         if form.email.data != user.email:
-            if mo.users.user_by_email(form.email.data) is not None:
+            if mo.users.user_by_email(assert_not_none(form.email.data)) is not None:
+                # Tady prosakuje informace o existenci účtu, ale tu prozrazuje i login.
                 flash('Tuto e-mailovou adresu už používá jiný uživatel.', 'danger')
-                ok = False
+                return False
             else:
                 rr = mo.users.new_reg_request(db.RegReqType.change_email, request.remote_addr)
                 if rr:
@@ -212,9 +218,11 @@ def user_settings_personal():
                 else:
                     app.logger.info('Settings: Rate limit')
                     flash('Příliš mnoho požadavků na změny e-mailu. Počkejte prosím chvíli a zkuste to znovu.', 'danger')
-                    ok = False
-        if ok:
-            return redirect(url_for('user_settings'))
+                    return False
+        return True
+
+    if form.validate_on_submit() and process_submit():
+        return redirect(url_for('user_settings'))
 
     return render_template('settings_change.html', form=form)
 
-- 
GitLab