lwsgt: fix check against forgot password flow defeating existing pw check

https://github.com/warmcat/libwebsockets/issues/706 This fixes a problem where the check for the existing pw was skipped when a logged-in user is changing his password. It's not good but because the user has to be logged in, it only affected the situation someone changes his password on his logged in session.
2016-12-08 17:36:51 +08:00 · 2016-12-08 17:36:51 +08:00 · 384ee53a36
commit 384ee53a36
parent c01bbb2bbc
1 changed files with 9 additions and 2 deletions
--- a/plugins/generic-sessions/handlers.c
+++ b/plugins/generic-sessions/handlers.c
@ -289,14 +289,19 @@ lwsgs_handler_change_password(struct per_vhost_data__gs *vhd, struct lws *wsi,
 				return 1;

 			/* did a forgot pw ? */
-			if (u.last_forgot_validated > lws_now_secs() - 300)
+			if (u.last_forgot_validated > lws_now_secs() - 300) {
 				n |= LWSGS_AUTH_FORGOT_FLOW;
+				lwsl_debug("within forgot password flow\n");
+			}
 		}
 	}

+	lwsl_debug("auth value %d\n", n);
+
 	/* if he just did forgot pw flow, don't need old pw */
-	if (!(n & (LWSGS_AUTH_FORGOT_FLOW | 1))) {
+	if ((n & (LWSGS_AUTH_FORGOT_FLOW | 1)) != (LWSGS_AUTH_FORGOT_FLOW | 1)) {
 		/* otherwise user:pass must be right */
+		lwsl_debug("checking pw\n");
 		if (lwsgs_check_credentials(vhd,
 			   lws_spa_get_string(pss->spa, FGS_USERNAME),
 			   lws_spa_get_string(pss->spa, FGS_CURPW))) {
@ -304,6 +309,8 @@ lwsgs_handler_change_password(struct per_vhost_data__gs *vhd, struct lws *wsi,
 			return 1;
 		}

+		lwsl_debug("current pw checks out\n");
+
 		strncpy(u.username, lws_spa_get_string(pss->spa, FGS_USERNAME), sizeof(u.username) - 1);
 		u.username[sizeof(u.username) - 1] = '\0';
 	}