From da3d9184b2e820991627a16ba90d3ad9d4a54a7b Mon Sep 17 00:00:00 2001
From: onefang
Date: Tue, 21 Apr 2020 05:58:46 +1000
Subject: Only check password on login.

---
 src/sledjchisl/sledjchisl.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/sledjchisl/sledjchisl.c b/src/sledjchisl/sledjchisl.c
index 9f8ea6f..d150a2f 100644
--- a/src/sledjchisl/sledjchisl.c
+++ b/src/sledjchisl/sledjchisl.c
@@ -4693,7 +4693,9 @@ d("Sub accountView %s  %s %s", getStrH(Rd->database, "UserAccounts.PrincipalID")
   else
   {
     // Check password on POST if the session user is the same as the shown user, coz this is the page shown on login.
-    if ((strcmp("POST", Rd->Method) == 0) && (strcmp(Rd->shs.UUID, getStrH(Rd->database, "UserAccounts.PrincipalID")) == 0))
+    // Also only check on login.
+    if ((strcmp("POST", Rd->Method) == 0) && (strcmp(Rd->shs.UUID, getStrH(Rd->database, "UserAccounts.PrincipalID")) == 0)
+      && (strcmp("login", Rd->doit) == 0) && (strcmp("accountLogin", Rd->form) == 0))
     {
       char *h = checkSLOSpassword(Rd, getStrH(Rd->database, "auth.passwordSalt"), getStrH(Rd->body, "password"), getStrH(Rd->database, "auth.passwordHash"), "Login failed.");
       if (NULL == h)
-- 
cgit v1.1