fix: if editing password is disabled in ACP, prevent direct access via route/socket (related: #7576)

6 years ago · e114b16d7a
parent cf5aeace6b
commit e114b16d7a
2 changed files with 13 additions and 6 deletions
--- a/src/controllers/accounts/edit.js
+++ b/src/controllers/accounts/edit.js
@ -98,8 +98,8 @@ function renderRoute(name, req, res, next) {
 				return next();
 			}

-			if ((name === 'username' && userData['username:disableEdit']) || (name === 'email' && userData['email:disableEdit'])) {
-				return next();
+			if (meta.config[name + ':disableEdit'] && !userData.isAdmin) {
+				return helpers.notAllowed(req, res);
 			}

 			if (name === 'password') {
--- a/src/user/profile.js
+++ b/src/user/profile.js
@ -319,11 +319,18 @@ module.exports = function (User) {
 				User.isPasswordValid(data.newPassword, next);
 			},
 			function (next) {
-				if (parseInt(uid, 10) !== parseInt(data.uid, 10)) {
-					User.isAdministrator(uid, next);
-				} else {
-					User.isPasswordCorrect(uid, data.currentPassword, data.ip, next);
+				User.isAdministrator(uid, next);
+			},
+			function (isAdmin, next) {
+				if (meta.config['password:disableEdit'] && !isAdmin) {
+					return next(new Error('[[error:no-privileges]]'));
 				}
+
+				if (isAdmin && parseInt(uid, 10) !== parseInt(data.uid, 10)) {
+					return next(null, true);
+				}
+
+				User.isPasswordCorrect(uid, data.currentPassword, data.ip, next);
 			},
 			function (isAdminOrPasswordMatch, next) {
 				if (!isAdminOrPasswordMatch) {