From 5c3d6b49d5db5bb3504191933dd171b54219c2b3 Mon Sep 17 00:00:00 2001
From: cflip <36554078+cflip@users.noreply.github.com>
Date: Sun, 25 Apr 2021 17:50:21 -0600
Subject: Add some extra checks before changing a password

---
 includes/functions_user.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/includes/functions_user.php b/includes/functions_user.php
index b2069a2..4ea1ad1 100644
--- a/includes/functions_user.php
+++ b/includes/functions_user.php
@@ -16,6 +16,16 @@ function register_user(string $username, string $pass_hash)
 
 function change_password(User $user, string $pass_hash)
 {
+	if (!Session::get()->is_signed_in()) {
+		trigger_error('You are not signed in.');
+		return;
+	}
+
+	if (Session::get()->get_current_user()->id != $user->id) {
+		trigger_error("You can't change another user's password.");
+		return;
+	}
+
 	$sql = "UPDATE users SET user_pass = ? WHERE user_id = ?;";
 	Database::get()->query($sql, "si", $pass_hash, $user->id);
 }
\ No newline at end of file
-- 
cgit v1.2.3