From 6e121bf2d80b5219af7a7c7b6055b370aa43c36c Mon Sep 17 00:00:00 2001 From: Colin Okay Date: Thu, 24 Mar 2022 16:38:57 -0500 Subject: [bugfix] Admins can change passwords without knowing current password --- src/main.lisp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/main.lisp b/src/main.lisp index 2db13a4..abf5405 100644 --- a/src/main.lisp +++ b/src/main.lisp @@ -665,8 +665,9 @@ is an API Access token." (unless (or (eq who (api-contributor token)) (adminp (api-contributor token))) (http-err 403 "Cannot change that password.")) - (unless (is-current-password-p who current) - (http-err 400 "The old password is incorrect.")) + (unless (or (adminp (api-contributor token)) + (is-current-password-p who current)) + (http-err 400 "The old password is incorrect")) (unless (equalp value repeated) (http-err 400 "The two passwords do not match.")) (update-password who value) -- cgit v1.2.3