feat: enforce old-password verification on own password change, allow admin override
This commit is contained in:
@@ -149,7 +149,17 @@ namespace Lactose.Controllers {
|
||||
|
||||
if (dto.Email != null) { user.Email = dto.Email; }
|
||||
|
||||
if (dto.Password != null) { user.Password = passwordHasher.HashPassword(user, dto.Password); }
|
||||
if (dto.Password != null) {
|
||||
if (dto.OldPassword != null) {
|
||||
if (passwordHasher.VerifyHashedPassword(user, user.Password, dto.OldPassword) == PasswordVerificationResult.Failed) {
|
||||
return BadRequest("Old password is incorrect");
|
||||
}
|
||||
} else if (authenticatedUser.AccessLevel != EAccessLevel.Admin) {
|
||||
return BadRequest("Old password is required to change your own password");
|
||||
}
|
||||
|
||||
user.Password = passwordHasher.HashPassword(user, dto.Password);
|
||||
}
|
||||
|
||||
if (dto.IsDeleted != null) { user.DeletedAt = dto.IsDeleted.Value ? DateTime.UtcNow : null; }
|
||||
|
||||
|
||||
Reference in New Issue
Block a user