From dc0374df2ba76876765fac373e0de69e642a98dc Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <fox@fakecake.org>
Date: Thu, 16 Aug 2012 18:27:26 +0400
Subject: auth_internal.change_password: do not rely on session

---
 classes/auth_internal.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'classes/auth_internal.php')

diff --git a/classes/auth_internal.php b/classes/auth_internal.php
index eb376568d..8890d4455 100644
--- a/classes/auth_internal.php
+++ b/classes/auth_internal.php
@@ -75,14 +75,15 @@ class Auth_Internal extends Auth_Base {
 	function change_password($owner_uid, $old_password, $new_password) {
 		$owner_uid = db_escape_string($owner_uid);
 
-		$result = db_query($this->link, "SELECT salt FROM ttrss_users WHERE
+		$result = db_query($this->link, "SELECT salt,login FROM ttrss_users WHERE
 			id = '$owner_uid'");
 
 		$salt = db_fetch_result($result, 0, "salt");
+		$login = db_fetch_result($result, 0, "login");
 
 		if (!$salt) {
 			$old_password_hash1 = encrypt_password($old_password);
-			$old_password_hash2 = encrypt_password($old_password, $_SESSION["name"]);
+			$old_password_hash2 = encrypt_password($old_password, $login);
 
 			$query = "SELECT id FROM ttrss_users WHERE
 				id = '$owner_uid' AND (pwd_hash = '$old_password_hash1' OR
-- 
cgit v1.2.3