diff options
author | Colin Okay <okay@toyful.space> | 2022-03-24 16:38:57 -0500 |
---|---|---|
committer | Colin Okay <okay@toyful.space> | 2022-03-24 16:38:57 -0500 |
commit | 6e121bf2d80b5219af7a7c7b6055b370aa43c36c (patch) | |
tree | 5235e1310890a09e0f746d4e3559423d1c23cd19 | |
parent | 1411e0a49f51971acb8f8a9f84d866c3e416e42b (diff) |
[bugfix] Admins can change passwords without knowing current password
-rw-r--r-- | src/main.lisp | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/main.lisp b/src/main.lisp index 2db13a4..abf5405 100644 --- a/src/main.lisp +++ b/src/main.lisp @@ -665,8 +665,9 @@ is an API Access token." (unless (or (eq who (api-contributor token)) (adminp (api-contributor token))) (http-err 403 "Cannot change that password.")) - (unless (is-current-password-p who current) - (http-err 400 "The old password is incorrect.")) + (unless (or (adminp (api-contributor token)) + (is-current-password-p who current)) + (http-err 400 "The old password is incorrect")) (unless (equalp value repeated) (http-err 400 "The two passwords do not match.")) (update-password who value) |