check password when changing users email

diff --git a/mod/settings.php b/mod/settings.php
index 56526b7e796a751a994205bfe9c0404009d51d22..3d3688e29b4f0f9446a8af75fda8854b0c6c6014 100644 (file)
--- a/mod/settings.php
+++ b/mod/settings.php
@@ -314,6 +314,8 @@ function settings_post(&$a) {
                        $err = true;
                 }
 
+                //  check if the old password was supplied correctly before 
+                //  changing it to the new value
                 $r = q("SELECT `password` FROM `user`WHERE `uid` = %d LIMIT 1", intval(local_user()));
                 if( $oldpass != $r[0]['password'] ) {
                     notice( t('Wrong password.') . EOL);
@@ -401,8 +403,17 @@ function settings_post(&$a) {
 
        if($email != $a->user['email']) {
                $email_changed = true;
-        if(! valid_email($email))
-                       $err .= t(' Not valid email.');
+                //  check for the correct password
+                $r = q("SELECT `password` FROM `user`WHERE `uid` = %d LIMIT 1", intval(local_user()));
+                $password = hash('whirlpool', $_POST['password']);
+                if ($password != $r[0]['password']) {
+                    $err .= t('Wrong Password') . EOL;
+                    $email = $a->user['email'];
+                }
+                //  check the email is valid
+                if(! valid_email($email))
+                    $err .= t(' Not valid email.');
+                //  ensure new email is not the admin mail
                if((x($a->config,'admin_email')) && (strcasecmp($email,$a->config['admin_email']) == 0)) {
                        $err .= t(' Cannot change to that email.');
                        $email = $a->user['email'];