From 0967647f4dcbdd5c0eaeec3d67d8a159f1791e63 Mon Sep 17 00:00:00 2001
From: Demian Katz <demian.katz@villanova.edu>
Date: Wed, 28 Aug 2024 15:38:44 -0400
Subject: [PATCH] Verify existing password before changing password.

---
 .../GeebyDeeby/Controller/AbstractBase.php    | 18 ++++++++
 .../GeebyDeeby/Controller/IndexController.php | 12 +++---
 .../GeebyDeeby/Controller/UserController.php  | 43 ++++++++++++-------
 .../view/geeby-deeby/user/edit.phtml          |  6 ++-
 4 files changed, 56 insertions(+), 23 deletions(-)

diff --git a/module/GeebyDeeby/src/GeebyDeeby/Controller/AbstractBase.php b/module/GeebyDeeby/src/GeebyDeeby/Controller/AbstractBase.php
index 6dd94e09..f0a20eb4 100644
--- a/module/GeebyDeeby/src/GeebyDeeby/Controller/AbstractBase.php
+++ b/module/GeebyDeeby/src/GeebyDeeby/Controller/AbstractBase.php
@@ -475,6 +475,24 @@ protected function forceLogin($extras = [], $forward = true)
             : $this->redirect()->toRoute('login');
     }
 
+    /**
+     * Perform authentication
+     *
+     * @param string $username Username
+     * @param string $password Password
+     *
+     * @return \GeebyDeeby\Authentication\Adapter
+     * @throws \Exception
+     */
+    protected function getAuthenticationAdapter($username, $password)
+    {
+        return new \GeebyDeeby\Authentication\Adapter(
+            $this->getDbTable('user'),
+            $username,
+            $password
+        );
+    }
+
     /**
      * Format an RDF response.
      *
diff --git a/module/GeebyDeeby/src/GeebyDeeby/Controller/IndexController.php b/module/GeebyDeeby/src/GeebyDeeby/Controller/IndexController.php
index 079a39b8..a0979f15 100644
--- a/module/GeebyDeeby/src/GeebyDeeby/Controller/IndexController.php
+++ b/module/GeebyDeeby/src/GeebyDeeby/Controller/IndexController.php
@@ -59,13 +59,13 @@ public function loginAction()
     {
         $view = $this->createViewModel();
         if ($this->getRequest()->isPost()) {
-            $adapter = new \GeebyDeeby\Authentication\Adapter(
-                $this->getDbTable('user'),
-                $this->params()->fromPost('user'),
-                $this->params()->fromPost('pass')
-            );
             try {
-                $result = $this->getAuth()->authenticate($adapter);
+                $result = $this->getAuth()->authenticate(
+                    $this->getAuthenticationAdapter(
+                        $this->params()->fromPost('user'),
+                        $this->params()->fromPost('pass')
+                    )
+                );
             } catch (\GeebyDeeby\Authentication\UnapprovedUserException $e) {
                 $view->msg = 'Your account has not been approved yet.';
                 return $view;
diff --git a/module/GeebyDeeby/src/GeebyDeeby/Controller/UserController.php b/module/GeebyDeeby/src/GeebyDeeby/Controller/UserController.php
index 54ab5db9..acb86d30 100644
--- a/module/GeebyDeeby/src/GeebyDeeby/Controller/UserController.php
+++ b/module/GeebyDeeby/src/GeebyDeeby/Controller/UserController.php
@@ -146,6 +146,7 @@ public function editAction()
         if (null !== $this->params()->fromPost('submit')) {
             $view->fullname = $this->params()->fromPost('Fullname');
             $view->address = $this->params()->fromPost('Address');
+            $password = $this->params()->fromPost('Password');
             $password1 = $this->params()->fromPost('Password1');
             $password2 = $this->params()->fromPost('Password2');
             if ($view->fullname == '') {
@@ -156,22 +157,34 @@ public function editAction()
             ) {
                 $view->error = 'Your passwords did not match. Please try again.';
             } else {
-                $table = $this->getDbTable('user');
-                $update = [
-                    'Name' => $view->fullname, 'Address' => $view->address,
-                ];
-                if (!empty($password1)) {
-                    $hasher = new PasswordHasher();
-                    $update['Password_Hash'] = $hasher->create($password1);
+                try {
+                    $passwordCheck = $this->getAuthenticationAdapter(
+                        $view->user['Username'],
+                        $password
+                    )->authenticate();
+                } catch (\Exception $e) {
+                    $passwordCheck = null;
+                }
+                if (!empty($password1) && !($passwordCheck?->isValid())) {
+                    $view->error = 'The existing password you provided is incorrect.';
+                } else {
+                    $table = $this->getDbTable('user');
+                    $update = [
+                        'Name' => $view->fullname, 'Address' => $view->address,
+                    ];
+                    if (!empty($password1)) {
+                        $hasher = new PasswordHasher();
+                        $update['Password_Hash'] = $hasher->create($password1);
+                    }
+                    $table->update(
+                        $update,
+                        ['User_ID' => $view->user['User_ID']]
+                    );
+                    return $this->redirect()->toRoute(
+                        'user',
+                        ['id' => $view->user['User_ID']]
+                    );
                 }
-                $table->update(
-                    $update,
-                    ['User_ID' => $view->user['User_ID']]
-                );
-                return $this->redirect()->toRoute(
-                    'user',
-                    ['id' => $view->user['User_ID']]
-                );
             }
         } else {
             $view->fullname = $view->user['Name'];
diff --git a/module/GeebyDeeby/view/geeby-deeby/user/edit.phtml b/module/GeebyDeeby/view/geeby-deeby/user/edit.phtml
index ff1f09c0..9b0773a7 100644
--- a/module/GeebyDeeby/view/geeby-deeby/user/edit.phtml
+++ b/module/GeebyDeeby/view/geeby-deeby/user/edit.phtml
@@ -13,9 +13,11 @@ leave the password fields blank.</p>
 <input id="edit_fullname" type="text" name="Fullname" value="<?=$this->escapeHtml($fullname ?? '')?>" size="25" maxlength="50" /></td></tr>
 <th scope="row"><label for="edit_email">E-Mail Address (optional):</label></th><td>
 <input id="edit_email" type="email" name="Address" value="<?=$this->escapeHtml($address ?? '')?>" size="25" maxlength="50" /></td></tr>
-<tr><th scope="row"><label for="edit_password1">Password:</label></th><td>
+<tr><th scope="row"><label for="edit_password1">Existing Password:</label></th><td>
+<input id="edit_password1" type="password" name="Password" size="25" maxlength="25" /></td></tr>
+<tr><th scope="row"><label for="edit_password1">New Password:</label></th><td>
 <input id="edit_password1" type="password" name="Password1" size="25" maxlength="25" /></td></tr>
-<tr><th scope="row"><label for="edit_password2">Retype Password:</label></th><td>
+<tr><th scope="row"><label for="edit_password2">Retype New Password:</label></th><td>
 <input id="edit_password2" type="password" name="Password2" size="25" maxlength="25" /></td></tr>
 <tr><td></td><td><input type="submit" name="submit" value="Update Account" /></td></tr>
 </table>