Check for 'currentPassword' param in addition to 'password'

Resolves #4169
craftcms · Apr 23, 2019 · b8b087f · b8b087f
1 parent 2fb1067
commit b8b087f
Show file tree

Hide file tree

Showing 6 changed files with 13 additions and 11 deletions.
diff --git a/CHANGELOG-v3.md b/CHANGELOG-v3.md
@@ -8,6 +8,7 @@
 ### Changed
 - Craft now correctly typecasts all core boolean and integer values saved to the project config. ([#3695](https://github.com/craftcms/cms/issues/3695))
 - Craft now saves new entry versions every time an entry is saved, unless it’s being propagated or resaved.
+- `users/save-user` and `users/start-elevated-session` requests now check for a `currentPassword` body param in addition to `password`, when looking for the user’s current password. ([#4169](https://github.com/craftcms/cms/issues/4169))
 - `craft\services\Path::getStoragePath()` now has a `$create` argument.
 - Updated Twig to ~2.8.1.
 

diff --git a/src/controllers/UsersController.php b/src/controllers/UsersController.php
@@ -246,7 +246,8 @@ public function actionGetElevatedSessionTimeout(): Response
      */
     public function actionStartElevatedSession()
     {
-        $password = Craft::$app->getRequest()->getBodyParam('password');
+        $request = Craft::$app->getRequest();
+        $password = $request->getBodyParam('currentPassword') ?? $request->getBodyParam('password');
 
         try {
             $success = Craft::$app->getUser()->startElevatedSession($password);
@@ -1758,14 +1759,14 @@ private function _verifyExistingPassword(): bool
             return false;
         }
 
-        $currentHashedPassword = $currentUser->password;
-
-        try {
-            $currentPassword = Craft::$app->getRequest()->getRequiredParam('password');
-        } catch (BadRequestHttpException $e) {
+        $request = Craft::$app->getRequest();
+        $currentPassword = $request->getParam('currentPassword') ?? $request->getParam('password');
+        if ($currentPassword === null) {
             return false;
         }
 
+        $currentHashedPassword = $currentUser->password;
+
         try {
             return Craft::$app->getSecurity()->validatePassword($currentPassword, $currentHashedPassword);
         } catch (InvalidArgumentException $e) {

diff --git a/src/web/assets/cp/dist/js/Craft.js b/src/web/assets/cp/dist/js/Craft.js
@@ -1,4 +1,4 @@
-/*!   - 2019-03-29 */
+/*!   - 2019-04-23 */
 (function($){
 
 /** global: Craft */
@@ -13515,7 +13515,7 @@ Craft.ElevatedSessionManager = Garnish.Base.extend(
             this.clearLoginError();
 
             var data = {
-                password: this.$passwordInput.val()
+                currentPassword: this.$passwordInput.val()
             };
 
             Craft.postActionRequest('users/start-elevated-session', data, $.proxy(function(response, textStatus) {

diff --git a/src/web/assets/cp/dist/js/Craft.min.js b/src/web/assets/cp/dist/js/Craft.min.js
diff --git a/src/web/assets/cp/dist/js/Craft.min.js.map b/src/web/assets/cp/dist/js/Craft.min.js.map
diff --git a/src/web/assets/cp/src/js/ElevatedSessionManager.js b/src/web/assets/cp/src/js/ElevatedSessionManager.js
@@ -111,7 +111,7 @@ Craft.ElevatedSessionManager = Garnish.Base.extend(
             this.clearLoginError();
 
             var data = {
-                password: this.$passwordInput.val()
+                currentPassword: this.$passwordInput.val()
             };
 
             Craft.postActionRequest('users/start-elevated-session', data, $.proxy(function(response, textStatus) {