diff --git a/model/UserHandler.php b/model/UserHandler.php index 3774eac8..4b6852e4 100644 --- a/model/UserHandler.php +++ b/model/UserHandler.php @@ -38,10 +38,11 @@ class UserHandler { if ($match == true) { $active = db_get_boolean(True); - $result = db_query("SELECT * FROM $table_mailbox WHERE username='$username' AND active='$active'"); - $result = $result['result']; - if ($new_db_password != $result['password']) { # TODO: comparison might fail because pacrypt() didn't know the salt above (separate pacrypt call?) - db_log ('CONSOLE', $domain, 'edit_password', "FAILURE: " . $this->username); # TODO: replace hardcoded CONSOLE - class is used by XMLRPC and users/ + $result = db_query("SELECT password FROM $table_mailbox WHERE username='$username' AND active='$active'"); + $result = db_assoc($result['result']); + + if (pacrypt($old_password, $result['password']) != $result['password']) { + db_log ('CONSOLE', $domain, 'edit_password', "MATCH FAILURE: " . $this->username); # TODO: replace hardcoded CONSOLE - class is used by XMLRPC and users/ $this->errormsg[] = 'Passwords do not match'; # TODO: make translatable return false; } @@ -50,7 +51,7 @@ class UserHandler { $set = array( 'password' => $new_db_password ); - + $result = db_update('mailbox', 'username=\''.$username.'\'', $set ); if ($result != 1) { diff --git a/users/password.php b/users/password.php index 7e48c01b..ab144d61 100644 --- a/users/password.php +++ b/users/password.php @@ -61,7 +61,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") if ($error == 0) { $uh = new UserHandler($username); - if($uh->change_pass($fPassword_current, $fPassword)) { + if($uh->change_pw($fPassword, $fPassword_current) ) { flash_info($PALANG['pPassword_result_success']); header("Location: main.php"); exit(0);