Refs #2669: Merged password change fixes in 7404 to trunk.

git-svn-id: http://code.elgg.org/elgg/trunk@7405 36083f99-b078-4883-b0ff-0f9b5a30f544

3 files changed, 37 insertions, 5 deletions

diff --git a/actions/user/password.php b/actions/user/password.php
index ceb9d4585..32b27bf74 100644
--- a/actions/user/password.php
+++ b/actions/user/password.php
@@ -8,6 +8,7 @@
 
 gatekeeper();
 
+$current_password = get_input('current_password');
 $password = get_input('password');
 $password2 = get_input('password2');
 $user_id = get_input('guid');
@@ -19,6 +20,19 @@ if (!$user_id) {
 }
 
 if (($user) && ($password != "")) {
+	// let admin user change anyone's password without knowing it except his own.
+	if (!isadminloggedin() || isadminloggedin() && $user->guid == get_loggedin_userid()) {
+		$credentials = array(
+			'username' => $user->username,
+			'password' => $current_password
+		);
+
+		if (!pam_auth_userpass($credentials)) {
+			register_error(elgg_echo('user:password:fail:incorrect_current_password'));
+			forward(REFERER);
+		}
+	}
+
 	if (strlen($password) >= 4) {
 		if ($password == $password2) {
 			$user->salt = generate_random_cleartext_password(); // Reset the salt
diff --git a/languages/en.php b/languages/en.php
index 3d166789e..2a4cd7e1f 100644
--- a/languages/en.php
+++ b/languages/en.php
@@ -401,12 +401,14 @@ $english = array(
 	'user:name:fail' => "Could not change your name on the system.  Please make sure your name isn't too long and try again.",
 
 	'user:set:password' => "Account password",
+	'user:current_password:label' => 'Current password',
 	'user:password:label' => "Your new password",
 	'user:password2:label' => "Your new password again",
 	'user:password:success' => "Password changed",
 	'user:password:fail' => "Could not change your password on the system.",
 	'user:password:fail:notsame' => "The two passwords are not the same!",
 	'user:password:fail:tooshort' => "Password is too short!",
+	'user:password:fail:incorrect_current_password' => 'The current password entered is incorrect.',
 	'user:resetpassword:unknown_user' => 'Invalid user.',
 	'user:resetpassword:reset_password_confirm' => 'Resetting your password will email a new password to your registered email address.',
 
diff --git a/views/default/user/settings/password.php b/views/default/user/settings/password.php
index ea7be401d..416e4dcef 100644
--- a/views/default/user/settings/password.php
+++ b/views/default/user/settings/password.php
@@ -12,15 +12,31 @@ if ($user) {
 ?>
 <div class="user_settings password">
 <h3><?php echo elgg_echo('user:set:password'); ?></h3>
-<p>
+
+	<?php
+		// only make the admin user enter current password for changing his own password.
+		if (!isadminloggedin() || isadminloggedin() && $user->guid == get_loggedin_userid()) {
+	?>
+	<p>
+	<?php echo elgg_echo('user:current_password:label'); ?>:
+	<?php
+		echo elgg_view('input/password', array('internalname' => 'current_password'));
+	?>
+	</p>
+	<?php } ?>
+
+	<p>
 	<?php echo elgg_echo('user:password:label'); ?>:
 	<?php
-		echo elgg_view('input/password',array('internalname' => 'password'));
-	?></p><p>
+		echo elgg_view('input/password', array('internalname' => 'password'));
+	?>
+	</p>
+
+	<p>
 	<?php echo elgg_echo('user:password2:label'); ?>: <?php
-		echo elgg_view('input/password',array('internalname' => 'password2'));
+		echo elgg_view('input/password', array('internalname' => 'password2'));
 	?>
-</p>
+	</p>
 </div>
 <?php
 }
\ No newline at end of file