From: lpsolit%gmail.com <>
Date: Sat, 14 Jul 2007 03:50:50 +0000 (+0000)
Subject: Bug 381738: SaveAccount() in userprefs.cgi doesn't check Bugzilla->user->authorizer... 
X-Git-Tag: bugzilla-3.0.1~51
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4afb9b1ea8e58f08bbfb1b5da5a016024435e4b3;p=thirdparty%2Fbugzilla.git

Bug 381738: SaveAccount() in userprefs.cgi doesn't check Bugzilla->user->authorizer->can_change_{password|email} - Patch by Tiago R. Mello <timello@gmail.com> r/a=LpSolit
---

diff --git a/userprefs.cgi b/userprefs.cgi
index 8f94809cb7..1ad7f906e6 100755
--- a/userprefs.cgi
+++ b/userprefs.cgi
@@ -82,8 +82,8 @@ sub SaveAccount {
     my $pwd1 = $cgi->param('new_password1');
     my $pwd2 = $cgi->param('new_password2');
 
-    if ($cgi->param('Bugzilla_password') ne "" || 
-        $pwd1 ne "" || $pwd2 ne "") 
+    if ($user->authorizer->can_change_password
+        && ($cgi->param('Bugzilla_password') ne "" || $pwd1 ne "" || $pwd2 ne ""))
     {
         my ($oldcryptedpwd) = $dbh->selectrow_array(
                         q{SELECT cryptpassword FROM profiles WHERE userid = ?},
@@ -115,7 +115,10 @@ sub SaveAccount {
         }
     }
 
-    if(Bugzilla->params->{"allowemailchange"} && $cgi->param('new_login_name')) {
+    if ($user->authorizer->can_change_email
+        && Bugzilla->params->{"allowemailchange"}
+        && $cgi->param('new_login_name'))
+    {
         my $old_login_name = $cgi->param('Bugzilla_login');
         my $new_login_name = trim($cgi->param('new_login_name'));