fix: request a password to change sensitive user data (#5629)

2026-01-03 02:44:03 -05:00
parent 943e5340d0
commit b8151a038a
9 changed files with 103 additions and 26 deletions
--- a/frontend/src/views/settings/Profile.vue
+++ b/frontend/src/views/settings/Profile.vue
@@ -69,6 +69,15 @@
            v-model="passwordConf"
            name="passwordConf"
          />
+          <input
+            v-if="isCurrentPasswordRequired"
+            :class="passwordClass"
+            type="password"
+            :placeholder="t('settings.currentPassword')"
+            v-model="currentPassword"
+            name="current_password"
+            autocomplete="current-password"
+          />
        </div>

        <div class="card-action">
@@ -87,7 +96,7 @@
 <script setup lang="ts">
 import { useAuthStore } from "@/stores/auth";
 import { useLayoutStore } from "@/stores/layout";
-import { users as api } from "@/api";
+import { users as api, settings } from "@/api";
 import AceEditorTheme from "@/components/settings/AceEditorTheme.vue";
 import Languages from "@/components/settings/Languages.vue";
 import { computed, inject, onMounted, ref } from "vue";
@@ -102,6 +111,8 @@ const $showError = inject<IToastError>("$showError")!;

 const password = ref<string>("");
 const passwordConf = ref<string>("");
+const currentPassword = ref<string>("");
+const isCurrentPasswordRequired = ref<boolean>(false);
 const hideDotfiles = ref<boolean>(false);
 const singleClick = ref<boolean>(false);
 const dateFormat = ref<boolean>(false);
@@ -131,6 +142,9 @@ onMounted(async () => {
  dateFormat.value = authStore.user.dateFormat;
  aceEditorTheme.value = authStore.user.aceEditorTheme;
  layoutStore.loading = false;
+  const { authMethod } = await settings.get();
+  isCurrentPasswordRequired.value = authMethod == "json";
+
  return true;
 });

@@ -140,6 +154,7 @@ const updatePassword = async (event: Event) => {
  if (
    password.value !== passwordConf.value ||
    password.value === "" ||
+    currentPassword.value === "" ||
    authStore.user === null
  ) {
    return;
@@ -151,7 +166,7 @@ const updatePassword = async (event: Event) => {
      id: authStore.user.id,
      password: password.value,
    };
-    await api.update(data, ["password"]);
+    await api.update(data, ["password"], currentPassword.value);
    authStore.updateUser(data);
    $showSuccess(t("settings.passwordUpdated"));
  } catch (e: any) {
--- a/frontend/src/views/settings/User.vue
+++ b/frontend/src/views/settings/User.vue
@@ -15,6 +15,19 @@
            :isDefault="false"
            :isNew="isNew"
          />
+
+          <p v-if="isCurrentPasswordRequired">
+            <label for="currentPassword">{{
+              t("settings.currentPassword")
+            }}</label>
+            <input
+              class="input input--block"
+              type="password"
+              v-model="currentPassword"
+              id="currentPassword"
+              autocomplete="current-password"
+            />
+          </p>
        </div>

        <div class="card-action">
@@ -63,6 +76,8 @@ const error = ref<StatusError>();
 const originalUser = ref<IUser>();
 const user = ref<IUser>();
 const createUserDir = ref<boolean>(false);
+const currentPassword = ref<string>("");
+const isCurrentPasswordRequired = ref<boolean>(false);

 const $showError = inject<IToastError>("$showError")!;
 const $showSuccess = inject<IToastSuccess>("$showSuccess")!;
@@ -90,7 +105,12 @@ const fetchData = async () => {

  try {
    if (isNew.value) {
-      const { defaults, createUserDir: _createUserDir } = await settings.get();
+      const {
+        authMethod,
+        defaults,
+        createUserDir: _createUserDir,
+      } = await settings.get();
+      isCurrentPasswordRequired.value = authMethod == "json";
      createUserDir.value = _createUserDir;
      user.value = {
        ...defaults,
@@ -101,6 +121,8 @@ const fetchData = async () => {
        id: 0,
      };
    } else {
+      const { authMethod } = await settings.get();
+      isCurrentPasswordRequired.value = authMethod == "json";
      const id = Array.isArray(route.params.id)
        ? route.params.id.join("")
        : route.params.id;
@@ -151,11 +173,11 @@ const save = async (event: Event) => {
        ...user.value,
      };

-      const loc = await api.create(newUser);
+      const loc = await api.create(newUser, currentPassword.value);
      router.push({ path: loc || "/settings/users" });
      $showSuccess(t("settings.userCreated"));
    } else {
-      await api.update(user.value);
+      await api.update(user.value, ["all"], currentPassword.value);

      if (user.value.id === authStore.user?.id) {
        authStore.updateUser(user.value);