Verify that oldPassword is not empty
Hello
I suggest a little change to verify that old password is not empty when user change his password and portalRequireOldPassword is set to 1 but ldapSetPassword=0 and ldapPpolicyControl=0 and ldapChangePasswordAsUser=0.
Actually the code in portal/_LDAP.pm (near line 270) is :
if($oldpassword) {
Check old password with a bind
$mesg = $self->bind( $dn, password => $oldpassword ); return PE_BADOLDPASSWORD if ( $mesg->code != 0 );
I suggest something like this, instead :
if ($self->{portal}->{portalRequireOldPassword}) {
return PE_PP_MUST_SUPPLY_OLD_PASSWORD if ( !$oldpassword );
# Check old password with a bind
$mesg = $self->bind( $dn, password => $oldpassword );
return PE_BADOLDPASSWORD if ( $mesg->code != 0 );
a new constant PE_MUST_SUPPLY_OLD_PASSWORD should be created (because PE_PP_MUST_SUPPLY_OLD_PASSWORD is for pPolicyControl) but with the same user message
Do you agree ?
sincerly
Quentin JABOEUF (Nantes Métropole)