fix: request a password to change sensitive user data (#5629)

2026-01-03 02:44:03 -05:00
parent 943e5340d0
commit b8151a038a
9 changed files with 103 additions and 26 deletions
--- a/frontend/src/views/settings/User.vue
+++ b/frontend/src/views/settings/User.vue
@@ -15,6 +15,19 @@
            :isDefault="false"
            :isNew="isNew"
          />
+
+          <p v-if="isCurrentPasswordRequired">
+            <label for="currentPassword">{{
+              t("settings.currentPassword")
+            }}</label>
+            <input
+              class="input input--block"
+              type="password"
+              v-model="currentPassword"
+              id="currentPassword"
+              autocomplete="current-password"
+            />
+          </p>
        </div>

        <div class="card-action">
@@ -63,6 +76,8 @@ const error = ref<StatusError>();
 const originalUser = ref<IUser>();
 const user = ref<IUser>();
 const createUserDir = ref<boolean>(false);
+const currentPassword = ref<string>("");
+const isCurrentPasswordRequired = ref<boolean>(false);

 const $showError = inject<IToastError>("$showError")!;
 const $showSuccess = inject<IToastSuccess>("$showSuccess")!;
@@ -90,7 +105,12 @@ const fetchData = async () => {

  try {
    if (isNew.value) {
-      const { defaults, createUserDir: _createUserDir } = await settings.get();
+      const {
+        authMethod,
+        defaults,
+        createUserDir: _createUserDir,
+      } = await settings.get();
+      isCurrentPasswordRequired.value = authMethod == "json";
      createUserDir.value = _createUserDir;
      user.value = {
        ...defaults,
@@ -101,6 +121,8 @@ const fetchData = async () => {
        id: 0,
      };
    } else {
+      const { authMethod } = await settings.get();
+      isCurrentPasswordRequired.value = authMethod == "json";
      const id = Array.isArray(route.params.id)
        ? route.params.id.join("")
        : route.params.id;
@@ -151,11 +173,11 @@ const save = async (event: Event) => {
        ...user.value,
      };

-      const loc = await api.create(newUser);
+      const loc = await api.create(newUser, currentPassword.value);
      router.push({ path: loc || "/settings/users" });
      $showSuccess(t("settings.userCreated"));
    } else {
-      await api.update(user.value);
+      await api.update(user.value, ["all"], currentPassword.value);

      if (user.value.id === authStore.user?.id) {
        authStore.updateUser(user.value);