From 204902c9dd654a2bc0e7400b057bcd8c4a60ab54 Mon Sep 17 00:00:00 2001
From: Ivan Kohler <ivan@freeside.biz>
Date: Wed, 7 May 2014 02:05:39 -0700
Subject: [PATCH] check old_password if passed to self-service API, require
 with config setting, RT#29015

---
 FS/FS/ClientAPI/MyAccount.pm | 7 +++++++
 FS/FS/Conf.pm                | 7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/FS/FS/ClientAPI/MyAccount.pm b/FS/FS/ClientAPI/MyAccount.pm
index 5b590da2b..47f3bd88e 100644
--- a/FS/FS/ClientAPI/MyAccount.pm
+++ b/FS/FS/ClientAPI/MyAccount.pm
@@ -2856,6 +2856,13 @@ sub myaccount_passwd {
   my $error = '';
 
   my $conf = new FS::Conf;
+
+  return { 'error' => 'Incorrect current password.' }
+    if  ( exists($p->{'old_password'})
+          || $conf->exists('selfservice-password_change_oldpass')
+        )
+    && ! $svc_acct->check_password($p->{'old_password'});
+
   $error = 'Password too short.'
     if length($p->{'new_password'}) < ($conf->config('passwordmin') || 6);
   $error = 'Password too long.'
diff --git a/FS/FS/Conf.pm b/FS/FS/Conf.pm
index 751a95966..adf5c867b 100644
--- a/FS/FS/Conf.pm
+++ b/FS/FS/Conf.pm
@@ -2868,6 +2868,13 @@ and customer address. Include units.',
     %msg_template_options,
   },
 
+  {
+    'key'         => 'selfservice-password_change_oldpass',
+    'section'     => 'self-service',
+    'description' => 'Require old password to be entered again for password changes (in addition to being logged in), at the API level.',
+    'type'        => 'checkbox',
+  },
+
   {
     'key'         => 'selfservice-hide_invoices-taxclass',
     'section'     => 'self-service',
-- 
2.20.1