Browse Source

Require password when modifying account recovery

merge-requests/151/head
kencx 1 year ago
committed by Deimos
parent
commit
d0d6b6d3dc
  1. 5
      tildes/tildes/templates/settings_account_recovery.jinja2
  2. 10
      tildes/tildes/views/api/web/user.py

5
tildes/tildes/templates/settings_account_recovery.jinja2

@ -56,6 +56,11 @@
<input class="form-input" id="email_address_note" name="email_address_note" placeholder="Description" maxlength="{{ note_max_length }}">
</div>
<div class="form-group">
<label class="form-label col-4" for="password">Password</label>
<input class="form-input" id="password" name="password" type="password" placeholder="Password">
</div>
<div class="form-buttons">
<button class="btn btn-primary" type="submit">Save email address</button>
</div>

10
tildes/tildes/views/api/web/user.py

@ -70,13 +70,19 @@ def patch_change_password(
request_param="ic-trigger-name=account-recovery-email",
permission="change_settings",
)
@use_kwargs(UserSchema(only=("email_address", "email_address_note")), location="form")
@use_kwargs(
UserSchema(only=("email_address", "email_address_note", "password")),
location="form",
)
def patch_change_email_address(
request: Request, email_address: str, email_address_note: str
request: Request, email_address: str, email_address_note: str, password: str
) -> Response:
"""Change the user's email address (and descriptive note)."""
user = request.context
if not user.is_correct_password(password):
raise HTTPUnauthorized(body="Incorrect password")
# If the user already has an email address set, we need to retain the previous hash
# and description in the log. Otherwise, if an account is compromised and the
# attacker changes the email address, we'd have no way to support recovery for the

Loading…
Cancel
Save