aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorColin Okay <okay@toyful.space>2022-03-24 16:38:57 -0500
committerColin Okay <okay@toyful.space>2022-03-24 16:38:57 -0500
commit6e121bf2d80b5219af7a7c7b6055b370aa43c36c (patch)
tree5235e1310890a09e0f746d4e3559423d1c23cd19 /src
parent1411e0a49f51971acb8f8a9f84d866c3e416e42b (diff)
[bugfix] Admins can change passwords without knowing current password
Diffstat (limited to 'src')
-rw-r--r--src/main.lisp5
1 files changed, 3 insertions, 2 deletions
diff --git a/src/main.lisp b/src/main.lisp
index 2db13a4..abf5405 100644
--- a/src/main.lisp
+++ b/src/main.lisp
@@ -665,8 +665,9 @@ is an API Access token."
(unless (or (eq who (api-contributor token))
(adminp (api-contributor token)))
(http-err 403 "Cannot change that password."))
- (unless (is-current-password-p who current)
- (http-err 400 "The old password is incorrect."))
+ (unless (or (adminp (api-contributor token))
+ (is-current-password-p who current))
+ (http-err 400 "The old password is incorrect"))
(unless (equalp value repeated)
(http-err 400 "The two passwords do not match."))
(update-password who value)