Skip to content

Commit

Permalink
sec(Users) repeat password checks in backend before update
Browse files Browse the repository at this point in the history
  • Loading branch information
joebordes committed Jun 2, 2023
1 parent e767906 commit e3dabd7
Showing 1 changed file with 7 additions and 13 deletions.
20 changes: 7 additions & 13 deletions modules/Vtiger/ExecuteFunctions.php
Original file line number Diff line number Diff line change
Expand Up @@ -621,20 +621,14 @@
Vtiger_Request::validateRequest();
require_once 'modules/Users/Users.php';
require_once 'include/utils/UserInfoUtil.php';
require_once 'include/Webservices/ChangePassword.php';
$userid = vtlib_purify($_REQUEST['record']);
if (is_admin($current_user) || $current_user->id==$userid) {
$focus = new Users();
$focus->mode='edit';
$focus->id = $userid;
$focus->retrieve_entity_info($userid, 'Users');
$ret = $focus->change_password('old_password', vtlib_purify(substr($_REQUEST['new_password'], 0, 1024)));
if ($ret) {
$ret = array('password'=>$ret);
} else {
$ret = array('password'=>false, 'msg' => $focus->error_string);
}
} else {
$ret = array('password'=>false, 'msg' => $focus->error_string);
try {
$npass = vtlib_purify($_REQUEST['new_password']);
vtws_changePassword(vtlib_purify($_REQUEST['record']), 'nocheck_old_password', $npass, $npass, $current_user);
$ret = array('password'=>true);
} catch (\Throwable $th) {
$ret = array('password'=>false, 'msg' => $th->getMessage());
}
break;
case 'ismoduleactive':
Expand Down

0 comments on commit e3dabd7

Please sign in to comment.