From b622136fd78ade6ff063a2cc00c85c1a8f1496c1 Mon Sep 17 00:00:00 2001
From: David Anderson <davea@ssl.berkeley.edu>
Date: Tue, 23 Dec 2014 10:47:18 -0800
Subject: [PATCH] web: clean up "change password" pages

For some reason these pages had their own login logic.
Remove this; you must be logged in first.
---
 html/user/edit_passwd_action.php | 36 +++++++++-----------------------
 html/user/edit_passwd_form.php   | 27 +++---------------------
 2 files changed, 13 insertions(+), 50 deletions(-)

diff --git a/html/user/edit_passwd_action.php b/html/user/edit_passwd_action.php
index 79a24a411e..f6ad3fa176 100644
--- a/html/user/edit_passwd_action.php
+++ b/html/user/edit_passwd_action.php
@@ -1,7 +1,7 @@
 <?php
 // This file is part of BOINC.
 // http://boinc.berkeley.edu
-// Copyright (C) 2008 University of California
+// Copyright (C) 2014 University of California
 //
 // BOINC is free software; you can redistribute it and/or modify it
 // under the terms of the GNU Lesser General Public License
@@ -22,10 +22,9 @@ require_once("../inc/user.inc");
 
 check_get_args(array());
 
-$auth = post_str("auth", true);
+$user = get_logged_in_user();
 $email_addr = strtolower(post_str("email_addr", true));
 
-$old_passwd = post_str("old_passwd", true);
 $passwd = post_str("passwd");
 $passwd2 = post_str("passwd2");
 
@@ -41,33 +40,18 @@ if (!is_ascii($passwd)) {
     error_page(tra("Passwords may only include ASCII characters."));
 }
 
-if (strlen($passwd)<$min_passwd_length) {
+if (strlen($passwd) < $min_passwd_length) {
     error_page(tra("New password is too short: minimum password length is %1 characters.", $min_passwd_length));
 }
-if ($auth) {
-    $user = BoincUser::lookup_auth($auth);
-    if (!$user) {
-        error_page(tra("Invalid account key"));
-    }
-} else {
-    $user = BoincUser::lookup_email_addr($email_addr);
-    if (!$user) {
-        error_page(tra("No account with that email address was found"));
-    }
-    $passwd_hash = md5($old_passwd.$email_addr);
-    if ($user->passwd_hash != $passwd_hash) {
-        error_page(tra("Invalid password"));
-    }
+
+$passwd_hash = md5($passwd.$user->email_addr);
+$result = $user->update("passwd_hash='$passwd_hash'");
+if (!$result) {
+    error_page(tra("We can't update your password due to a database problem. Please try again later."));
 }
 
 page_head(tra("Change password"));
-$passwd_hash = md5($passwd.$user->email_addr);
-$result = $user->update("passwd_hash='$passwd_hash'");
-if ($result) {
-    echo tra("Your password has been changed.");
-} else {
-    echo tra("We can't update your password due to a database problem. Please try again later.");
-}
-
+echo tra("Your password has been changed.");
 page_tail();
+
 ?>
diff --git a/html/user/edit_passwd_form.php b/html/user/edit_passwd_form.php
index 60f576114a..795b356582 100644
--- a/html/user/edit_passwd_form.php
+++ b/html/user/edit_passwd_form.php
@@ -1,7 +1,7 @@
 <?php
 // This file is part of BOINC.
 // http://boinc.berkeley.edu
-// Copyright (C) 2008 University of California
+// Copyright (C) 2014 University of California
 //
 // BOINC is free software; you can redistribute it and/or modify it
 // under the terms of the GNU Lesser General Public License
@@ -20,7 +20,7 @@ require_once("../inc/util.inc");
 
 check_get_args(array());
 
-$user = get_logged_in_user(false);
+$user = get_logged_in_user();
 
 page_head(tra("Change password"));
 
@@ -28,28 +28,7 @@ echo "
     <form method=post action=".secure_url_base()."edit_passwd_action.php>
 ";
 
-
-if ($user) {
-    echo "
-        <input type=hidden name=auth value=$user->authenticator>
-    ";
-    start_table();
-} else {
-    start_table();
-    row1(tra("You can identify yourself using either").
-        "<ul>".
-        "<li>".tra("your email address and old password").
-        "<li>".tra("your account key").
-        "</ul>"
-    );
-    row2(tra("Email address"), "<input name=email_addr size=40>");
-    row2(tra("Current password"), "<input type=password name=old_passwd size=40>");
-    row2(
-        tra("<b>OR</b>: Account key").
-        "<br><font size=-2><a href=get_passwd.php>".tra("Get account key by email")."</a>",
-        "<input name=auth size=40>"
-    );
-}
+start_table();
 row2(tra("New password"), "<input type=password name=passwd size=40>");
 row2(tra("New password, again"), "<input type=password name=passwd2 size=40>");
 row2("", "<input class=\"btn btn-default\" type=submit value='".tra("Change password")."'>");