Require password when modifying account recovery

11 months ago · d0d6b6d3dc
2 changed files with 13 additions and 2 deletions
--- a/tildes/tildes/templates/settings_account_recovery.jinja2
+++ b/tildes/tildes/templates/settings_account_recovery.jinja2
@ -56,6 +56,11 @@
    <input class="form-input" id="email_address_note" name="email_address_note" placeholder="Description" maxlength="{{ note_max_length }}">
  </div>

+  <div class="form-group">
+    <label class="form-label col-4" for="password">Password</label>
+    <input class="form-input" id="password" name="password" type="password" placeholder="Password">
+  </div>
+
  <div class="form-buttons">
    <button class="btn btn-primary" type="submit">Save email address</button>
  </div>
--- a/tildes/tildes/views/api/web/user.py
+++ b/tildes/tildes/views/api/web/user.py
@ -70,13 +70,19 @@ def patch_change_password(
    request_param="ic-trigger-name=account-recovery-email",
    permission="change_settings",
 )
-@use_kwargs(UserSchema(only=("email_address", "email_address_note")), location="form")
+@use_kwargs(
+    UserSchema(only=("email_address", "email_address_note", "password")),
+    location="form",
+)
 def patch_change_email_address(
-    request: Request, email_address: str, email_address_note: str
+    request: Request, email_address: str, email_address_note: str, password: str
 ) -> Response:
    """Change the user's email address (and descriptive note)."""
    user = request.context

+    if not user.is_correct_password(password):
+        raise HTTPUnauthorized(body="Incorrect password")
+
    # If the user already has an email address set, we need to retain the previous hash
    # and description in the log. Otherwise, if an account is compromised and the
    # attacker changes the email address, we'd have no way to support recovery for the