auth_internal.change_password: do not rely on session
This commit is contained in:
parent
d5fd183d18
commit
dc0374df2b
|
@ -75,14 +75,15 @@ class Auth_Internal extends Auth_Base {
|
|||
function change_password($owner_uid, $old_password, $new_password) {
|
||||
$owner_uid = db_escape_string($owner_uid);
|
||||
|
||||
$result = db_query($this->link, "SELECT salt FROM ttrss_users WHERE
|
||||
$result = db_query($this->link, "SELECT salt,login FROM ttrss_users WHERE
|
||||
id = '$owner_uid'");
|
||||
|
||||
$salt = db_fetch_result($result, 0, "salt");
|
||||
$login = db_fetch_result($result, 0, "login");
|
||||
|
||||
if (!$salt) {
|
||||
$old_password_hash1 = encrypt_password($old_password);
|
||||
$old_password_hash2 = encrypt_password($old_password, $_SESSION["name"]);
|
||||
$old_password_hash2 = encrypt_password($old_password, $login);
|
||||
|
||||
$query = "SELECT id FROM ttrss_users WHERE
|
||||
id = '$owner_uid' AND (pwd_hash = '$old_password_hash1' OR
|
||||
|
|
Loading…
Reference in New Issue