From 9c4d16d4fa693af66580b5b3ec3bd7cde933a7c4 Mon Sep 17 00:00:00 2001 From: Martin Mares <mj@ucw.cz> Date: Sat, 25 Jan 2025 11:35:57 +0100 Subject: [PATCH] =?UTF-8?q?Zm=C4=9Bna=20osobn=C3=ADch=20=C3=BAdaj=C5=AF=20?= =?UTF-8?q?zapom=C3=ADnala=20kontrolovat=20aktu=C3=A1ln=C3=AD=20heslo?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit *blush* --- mo/web/acct.py | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/mo/web/acct.py b/mo/web/acct.py index a9072301..b15a62be 100644 --- a/mo/web/acct.py +++ b/mo/web/acct.py @@ -23,6 +23,7 @@ import mo.rights import mo.tokens import mo.users import mo.util +from mo.util import assert_not_none from mo.web import app, NeedLoginError import mo.web.fields as mo_fields @@ -183,8 +184,11 @@ def user_settings_personal(): if not form.submit.data: form.email.data = user.email - if form.validate_on_submit(): - ok = True + def process_submit() -> bool: + if not mo.users.check_password(user, assert_not_none(form.current_passwd.data)): + flash('Nesouhlasí aktuální heslo.', 'danger') + return False + if form.new_passwd.data: app.logger.info(f'Settings: Změněno heslo uživatele #{user.user_id}') mo.users.set_password(user, form.new_passwd.data) @@ -195,10 +199,12 @@ def user_settings_personal(): ) sess.commit() flash('Heslo změněno.', 'success') + if form.email.data != user.email: - if mo.users.user_by_email(form.email.data) is not None: + if mo.users.user_by_email(assert_not_none(form.email.data)) is not None: + # Tady prosakuje informace o existenci účtu, ale tu prozrazuje i login. flash('Tuto e-mailovou adresu už používá jiný uživatel.', 'danger') - ok = False + return False else: rr = mo.users.new_reg_request(db.RegReqType.change_email, request.remote_addr) if rr: @@ -212,9 +218,11 @@ def user_settings_personal(): else: app.logger.info('Settings: Rate limit') flash('Příliš mnoho požadavků na změny e-mailu. Počkejte prosím chvíli a zkuste to znovu.', 'danger') - ok = False - if ok: - return redirect(url_for('user_settings')) + return False + return True + + if form.validate_on_submit() and process_submit(): + return redirect(url_for('user_settings')) return render_template('settings_change.html', form=form) -- GitLab