|
|
@ -70,13 +70,19 @@ def patch_change_password( |
|
|
|
request_param="ic-trigger-name=account-recovery-email", |
|
|
|
permission="change_settings", |
|
|
|
) |
|
|
|
@use_kwargs(UserSchema(only=("email_address", "email_address_note")), location="form") |
|
|
|
@use_kwargs( |
|
|
|
UserSchema(only=("email_address", "email_address_note", "password")), |
|
|
|
location="form", |
|
|
|
) |
|
|
|
def patch_change_email_address( |
|
|
|
request: Request, email_address: str, email_address_note: str |
|
|
|
request: Request, email_address: str, email_address_note: str, password: str |
|
|
|
) -> Response: |
|
|
|
"""Change the user's email address (and descriptive note).""" |
|
|
|
user = request.context |
|
|
|
|
|
|
|
if not user.is_correct_password(password): |
|
|
|
raise HTTPUnauthorized(body="Incorrect password") |
|
|
|
|
|
|
|
# If the user already has an email address set, we need to retain the previous hash |
|
|
|
# and description in the log. Otherwise, if an account is compromised and the |
|
|
|
# attacker changes the email address, we'd have no way to support recovery for the |
|
|
|