diff --git a/backend/core/core.js b/backend/core/core.js index 504d53e..4f3dfa2 100644 --- a/backend/core/core.js +++ b/backend/core/core.js @@ -103,7 +103,7 @@ async function getUser({ user_id, username, include_password = false }) { async function editUser({ requester_id, user_id, user_content }) { const valid_settings = ['display_name', 'password', 'role']; // Valid settings that can be changed - let user = await getUser({ user_id: user_id }); + let user = await getUser({ user_id: user_id, include_password: true }); if (!user.success) return _r(false, "User not found"); user = user.data; @@ -113,6 +113,11 @@ async function editUser({ requester_id, user_id, user_content }) { if (!valid_settings.includes(setting_name)) return _r(false, "Invalid setting."); if (setting_name == 'password'){ + // Check if current password value is correct + const password_match = await bcrypt.compare(user_content.original_password, user.password); + if (!password_match) return _r(false, "Incorrect password") + + // If successful, compute new password hash user_content.value = await bcrypt.hash(user_content.value, 10); } diff --git a/frontend/views/themes/default/js/editAuthor.js b/frontend/views/themes/default/js/editAuthor.js index 343ad78..f80fec8 100644 --- a/frontend/views/themes/default/js/editAuthor.js +++ b/frontend/views/themes/default/js/editAuthor.js @@ -8,7 +8,7 @@ async function changeValue(setting_name, element) { // TODO: On failure, notify the user if (response.body.success) { - alert("Successfully changed password"); + alert("Successfully changed setting."); } } const change_password_dialog = qs("#change-password-dialog"); @@ -29,9 +29,19 @@ function changePasswordInputUpdate() { return (status.innerHTML = " "); } -function sendPasswordUpdate() { +async function sendPasswordUpdate() { const new_password_1 = qs("#cp-new-1"); - // Check fields match - // Send post update - changeValue("password", new_password_1); + const original_password_value = qs("#cp-current").value + + const form = { + setting_name: "password", + value: new_password_1.value, + original_password: original_password_value, + id: window.location.href.split("/")[4], + }; + const response = await request(`/api/web/user`, "PATCH", form); + + if (response.body.success) { + alert("Successfully changed password"); + } } \ No newline at end of file