From 4afb9b1ea8e58f08bbfb1b5da5a016024435e4b3 Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Sat, 14 Jul 2007 03:50:50 +0000
Subject: [PATCH] Bug 381738: SaveAccount() in userprefs.cgi doesn't check
 Bugzilla->user->authorizer->can_change_{password|email} - Patch by Tiago R.
 Mello <timello@gmail.com> r/a=LpSolit

---
 userprefs.cgi | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/userprefs.cgi b/userprefs.cgi
index 8f94809cb7..1ad7f906e6 100755
--- a/userprefs.cgi
+++ b/userprefs.cgi
@@ -82,8 +82,8 @@ sub SaveAccount {
     my $pwd1 = $cgi->param('new_password1');
     my $pwd2 = $cgi->param('new_password2');
 
-    if ($cgi->param('Bugzilla_password') ne "" || 
-        $pwd1 ne "" || $pwd2 ne "") 
+    if ($user->authorizer->can_change_password
+        && ($cgi->param('Bugzilla_password') ne "" || $pwd1 ne "" || $pwd2 ne ""))
     {
         my ($oldcryptedpwd) = $dbh->selectrow_array(
                         q{SELECT cryptpassword FROM profiles WHERE userid = ?},
@@ -115,7 +115,10 @@ sub SaveAccount {
         }
     }
 
-    if(Bugzilla->params->{"allowemailchange"} && $cgi->param('new_login_name')) {
+    if ($user->authorizer->can_change_email
+        && Bugzilla->params->{"allowemailchange"}
+        && $cgi->param('new_login_name'))
+    {
         my $old_login_name = $cgi->param('Bugzilla_login');
         my $new_login_name = trim($cgi->param('new_login_name'));
 
-- 
2.47.2