Require current password when setting new password (#7763)

* Require current password when setting new password * i18n: fr --------- Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
author: Inverle <inverle@proton.me> 2025-07-31 09:24:37 +0200
committer: GitHub <noreply@github.com> 2025-07-31 09:24:37 +0200
commit: f85333e98adff296700e01ece8843aaf94694257 (patch)
tree: c1c1a36a06f2d9fe824c3284757cd8761bd3f9d3 /app/views
parent: 7a0c423357818b19eb431775452b1357bc7fd3eb (diff)
2 files changed, 48 insertions, 16 deletions
diff --git a/app/views/user/details.phtml b/app/views/user/details.phtml
index 1ea8f62d8..6f0cbae3e 100644
--- a/app/views/user/details.phtml
+++ b/app/views/user/details.phtml
@@ -60,7 +60,7 @@
 			<div class="group-controls">
 				<div class="stick">
 					<input type="password" id="newPasswordPlain" name="newPasswordPlain" autocomplete="new-password"
-						pattern=".{7,}" <?= cryptAvailable() ? '' : 'disabled="disabled" ' ?>/>
+						pattern=".{7,}" <?= cryptAvailable() && Minz_User::name() !== $this->username ? '' : 'disabled="disabled" ' ?>/>
 					<button type="button" class="btn toggle-password" data-toggle="newPasswordPlain"><?= _i('key') ?></button>
 				</div>
 				<p class="help"><?= _i('help'); ?> <?= _t('admin.user.password_format') ?></p>
diff --git a/app/views/user/profile.phtml b/app/views/user/profile.phtml
index 8f3633eb3..5f7991887 100644
--- a/app/views/user/profile.phtml
+++ b/app/views/user/profile.phtml
@@ -7,7 +7,7 @@
 ?>
 
 <main class="post">
-	<form method="post" action="<?= _url('user', 'profile') ?>">
+	<form id="crypto-form" method="post" action="<?= _url('user', 'profile') ?>">
 		<input type="hidden" name="_csrf" value="<?= FreshRSS_Auth::csrfToken() ?>" />
 		<h1><?= _t('conf.profile') ?></h1>
 
@@ -32,20 +32,7 @@
 		<div class="form-group">
 			<label class="group-name" for="email"><?= _t('conf.profile.email') ?></label>
 			<div class="group-controls">
-				<input id="email" name="email" type="email" value="<?= FreshRSS_Context::userConf()->mail_login ?>" />
-			</div>
-		</div>
-
-		<div class="form-group">
-			<label class="group-name" for="newPasswordPlain"><?= _t('conf.profile.password_form') ?></label>
-			<div class="group-controls">
-				<div class="stick">
-					<input type="password" id="newPasswordPlain" name="newPasswordPlain" autocomplete="new-password"
-						pattern=".{7,}" <?= cryptAvailable() ? '' : 'disabled="disabled" ' ?>/>
-					<button type="button" class="btn toggle-password" data-toggle="newPasswordPlain"><?= _i('key') ?></button>
-				</div>
-				<p class="help"><?= _i('help') ?> <?= _t('conf.profile.password_format') ?></p>
-				<noscript><b><?= _t('gen.js.should_be_activated') ?></b></noscript>
+				<input id="email" name="email" type="email" autocomplete="new-password" value="<?= FreshRSS_Context::userConf()->mail_login ?>" />
 			</div>
 		</div>
 
@@ -63,6 +50,51 @@
 		</div>
 		<?php } ?>
 
+		<?php
+			$open = Minz_Session::paramBoolean('open');
+			Minz_Session::_param('open', false);
+		?>
+
+		<details class="form-advanced" data-challenge-if-not-empty="1"<?= $open ? ' open="open"' : ''?>>
+			<summary class="form-advanced-title"><?= _t('conf.profile.change_password') ?></summary>
+			<div class="form-group">
+				<label class="group-name" for="passwordPlain"><?= _t('conf.profile.current_password') ?></label>
+				<div class="group-controls">
+					<input type="hidden" id="username" value="<?= Minz_User::name() ?? '' ?>" />
+					<div class="stick">
+						<input type="password" id="passwordPlain" />
+						<button type="button" class="btn toggle-password" data-toggle="passwordPlain"><img class="icon" src="../themes/icons/key.svg" loading="lazy" alt="🔑"></button>
+					</div>
+
+					<noscript>
+						<br />
+						<strong><?= _t('gen.js.should_be_activated') ?></strong>
+					</noscript>
+				</div>
+			</div>
+			<div class="form-group">
+				<label class="group-name" for="newPasswordPlain"><?= _t('conf.profile.new_password') ?></label>
+				<div class="group-controls">
+					<div class="stick">
+						<input type="password" id="newPasswordPlain" name="newPasswordPlain" autocomplete="new-password" pattern=".{7,}" />
+						<button type="button" class="btn toggle-password" data-toggle="newPasswordPlain"><img class="icon" src="../themes/icons/key.svg" loading="lazy" alt="🔑"></button>
+					</div>
+					<p class="help">
+						<img class="icon" src="../themes/icons/help.svg" loading="lazy" alt="ℹ️"> <?= _t('conf.profile.password_format') ?>
+					</p>
+				</div>
+			</div>
+			<div class="form-group">
+				<label class="group-name" for="confirmPasswordPlain"><?= _t('conf.profile.confirm_new_password') ?></label>
+				<div class="group-controls">
+					<div class="stick">
+						<input type="password" id="confirmPasswordPlain" name="confirmPasswordPlain" autocomplete="new-password" pattern=".{7,}" />
+						<button type="button" class="btn toggle-password" data-toggle="confirmPasswordPlain"><img class="icon" src="../themes/icons/key.svg" loading="lazy" alt="🔑"></button>
+					</div>
+				</div>
+			</div>
+		</details>
+
 		<div class="form-group form-actions">
 			<div class="group-controls">
 				<button type="submit" class="btn btn-important"><?= _t('gen.action.submit') ?></button>
author	Inverle <inverle@proton.me>	2025-07-31 09:24:37 +0200
committer	GitHub <noreply@github.com>	2025-07-31 09:24:37 +0200
commit	f85333e98adff296700e01ece8843aaf94694257 (patch)
tree	c1c1a36a06f2d9fe824c3284757cd8761bd3f9d3 /app/views
parent	7a0c423357818b19eb431775452b1357bc7fd3eb (diff)