From 1a87eb40bd6b5c1e5b781e2465ff8d4957cdcf7e Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Wed, 19 Feb 2020 16:55:38 -0500 Subject: [PATCH] Fixes #2841 and maintains login through password change --- web/includes/actions/user.php | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/web/includes/actions/user.php b/web/includes/actions/user.php index bdbafd176..fde1c0d0f 100644 --- a/web/includes/actions/user.php +++ b/web/includes/actions/user.php @@ -45,8 +45,16 @@ if ( $action == 'user' ) { if ( !empty($_REQUEST['uid']) ) { dbQuery('UPDATE Users SET '.implode(', ', $changes).' WHERE Id = ?', array($_REQUEST['uid'])); # If we are updating the logged in user, then update our session user data. - if ( $user and ( $dbUser['Username'] == $user['Username'] ) ) - generateAuthHash(ZM_AUTH_HASH_IPS); + if ( $user and ( $dbUser['Username'] == $user['Username'] ) ) { + # We are the logged in user, need to update the $user object and generate a new auth_hash + $sql = 'SELECT * FROM Users WHERE Enabled=1 AND Id=?'; + $user = dbFetchOne($sql, NULL, array($_REQUEST['uid'])); + + # Have to update auth hash in session + zm_session_start(); + generateAuthHash(ZM_AUTH_HASH_IPS, true); + session_write_close(); + } } else { dbQuery('INSERT INTO Users SET '.implode(', ', $changes)); } @@ -61,8 +69,8 @@ if ( $action == 'user' ) { $types = array(); $changes = getFormChanges($dbUser, $_REQUEST['newUser'], $types); - if (function_exists ('password_hash')) { - $pass_hash = '"'.password_hash($pass, PASSWORD_BCRYPT).'"'; + if ( function_exists('password_hash') ) { + $pass_hash = '"'.password_hash($_REQUEST['newUser']['Password'], PASSWORD_BCRYPT).'"'; } else { $pass_hash = ' PASSWORD('.dbEscape($_REQUEST['newUser']['Password']).') '; ZM\Info ('Cannot use bcrypt as you are using PHP < 5.3'); @@ -75,8 +83,15 @@ if ( $action == 'user' ) { } if ( count($changes) ) { dbQuery('UPDATE Users SET '.implode(', ', $changes).' WHERE Id=?', array($uid)); + + # We are the logged in user, need to update the $user object and generate a new auth_hash + $sql = 'SELECT * FROM Users WHERE Enabled=1 AND Id=?'; + $user = dbFetchOne($sql, NULL, array($uid)); + + zm_session_start(); + generateAuthHash(ZM_AUTH_HASH_IPS, true); + session_write_close(); $refreshParent = true; - generateAuthHash(ZM_AUTH_HASH_IPS); } $view = 'none'; }