From 953c20c3846e8ffd70392f12560cf39537c795b9 Mon Sep 17 00:00:00 2001
From: brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>
Date: Sun, 21 Nov 2010 21:24:57 +0000
Subject: Refs #2669: Merged password change fixes in 7404 to trunk.

git-svn-id: http://code.elgg.org/elgg/trunk@7405 36083f99-b078-4883-b0ff-0f9b5a30f544
---
 actions/user/password.php | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'actions')

diff --git a/actions/user/password.php b/actions/user/password.php
index ceb9d4585..32b27bf74 100644
--- a/actions/user/password.php
+++ b/actions/user/password.php
@@ -8,6 +8,7 @@
 
 gatekeeper();
 
+$current_password = get_input('current_password');
 $password = get_input('password');
 $password2 = get_input('password2');
 $user_id = get_input('guid');
@@ -19,6 +20,19 @@ if (!$user_id) {
 }
 
 if (($user) && ($password != "")) {
+	// let admin user change anyone's password without knowing it except his own.
+	if (!isadminloggedin() || isadminloggedin() && $user->guid == get_loggedin_userid()) {
+		$credentials = array(
+			'username' => $user->username,
+			'password' => $current_password
+		);
+
+		if (!pam_auth_userpass($credentials)) {
+			register_error(elgg_echo('user:password:fail:incorrect_current_password'));
+			forward(REFERER);
+		}
+	}
+
 	if (strlen($password) >= 4) {
 		if ($password == $password2) {
 			$user->salt = generate_random_cleartext_password(); // Reset the salt
-- 
cgit v1.2.3