Index: includes/form.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/form.inc,v retrieving revision 1.375 diff -u -p -r1.375 form.inc --- includes/form.inc 21 Sep 2009 06:44:13 -0000 1.375 +++ includes/form.inc 26 Sep 2009 06:52:15 -0000 @@ -218,7 +218,7 @@ function drupal_build_form($form_id, &$f // in the latest $form_state in addition to any other variables passed // into drupal_get_form(). - if ((!empty($form_state['storage']) || $form_state['rebuild']) && $form_state['submitted'] && !form_get_errors()) { + if ((!empty($form_state['storage']) || $form_state['rebuild']) && !form_get_errors()) { $form = drupal_rebuild_form($form_id, $form_state); } @@ -1033,7 +1033,7 @@ function form_builder($form_id, $element } // Store a complete copy of the form in form_state prior to building the form. - $form_state['complete form'] = $element; + $form_state['complete form'] = &$element; // Set a flag if we have a correct form submission. This is always TRUE for // programmed forms coming from drupal_form_submit(), or if the form_id coming // from the POST data is set and matches the current form_id. @@ -1143,6 +1143,7 @@ function form_builder($form_id, $element } // Update the copy of the complete form for usage in validation handlers. $form_state['complete form'] = $element; +// dsm($element); } return $element; } Index: modules/user/user.module =================================================================== RCS file: /cvs/drupal/drupal/modules/user/user.module,v retrieving revision 1.1053 diff -u -p -r1.1053 user.module --- modules/user/user.module 25 Sep 2009 15:14:18 -0000 1.1053 +++ modules/user/user.module 26 Sep 2009 07:07:25 -0000 @@ -585,6 +585,46 @@ function user_validate_picture(&$form, & } } +function user_validate_current_password($element, &$form_state, &$complete_form) { + $value_changed = ($element['#default_value'] !== $element['#value']); + if (!empty($form_state['storage']['needs_password_validation'])) { + #echo "
"; var_dump(element_children($complete_form)); echo "
\n"; + foreach (element_children($complete_form) as $item) { + if (in_array($item, array('form_build_id', 'form_token', 'form_id', 'submit'))) { + continue; + } + $complete_form[$item]['#access'] = FALSE; + } + $complete_form['current_password'] = array( + '#type' => 'textfield', + '#title' => t('Current password'), + '#element_validate' => array('user_validate_current_password_for_real'), + ); +// $complete_form['submit'] = array( +// '#type' => 'submit', +// '#value' => t('Save'), +// ); +// dsm($form_state); +// dsm($complete_form); + } + elseif ($value_changed) { + #$form_state['process_input'] = FALSE; + $form_state['rebuild'] = TRUE; + $form_state['storage']['needs_password_validation'] = TRUE; + $form_state['redirect'] = FALSE; +// $form_state['no_redirect'] = TRUE; + } +// dsm($element); + dsm($form_state); +// dsm($complete_form); + return $element; +} + +function user_validate_current_password_for_real(&$element, &$form_state, $complete_form) { + dsm($element); + unset($form_state['storage']['needs_password_validation']); +} + /** * Generate a random alphanumeric password. */ @@ -1809,20 +1849,19 @@ function user_edit_form(&$form, &$form_s '#title' => t('Account information'), '#weight' => -10, ); - // Only show name field when: registration page; or user is editing own - // account and can change username; or an admin user. - if ($register || ($user->uid == $account->uid && user_access('change own username')) || $admin) { - $form['account']['name'] = array( - '#type' => 'textfield', - '#title' => t('Username'), - '#maxlength' => USERNAME_MAX_LENGTH, - '#description' => t('Spaces are allowed; punctuation is not allowed except for periods, hyphens, apostrophes, and underscores.'), - '#required' => TRUE, - '#attributes' => array('class' => array('username')), - ); - if (!$register) { - $form['account']['name']['#default_value'] = $account->name; - } + $form['account']['name'] = array( + '#type' => 'textfield', + '#title' => t('Username'), + '#maxlength' => USERNAME_MAX_LENGTH, + '#description' => t('Spaces are allowed; punctuation is not allowed except for periods, hyphens, apostrophes, and underscores.'), + '#required' => TRUE, + '#attributes' => array('class' => array('username')), + // Only show name field when: registration page; or user is editing own + // account and can change username; or an admin user. + '#access' => $register || ($user->uid == $account->uid && user_access('change own username')) || $admin, + ); + if (!$register) { + $form['account']['name']['#default_value'] = $account->name; } $form['account']['mail'] = array( '#type' => 'textfield', @@ -1833,6 +1872,7 @@ function user_edit_form(&$form, &$form_s ); if (!$register) { $form['account']['mail']['#default_value'] = $account->mail; + $form['account']['mail']['#process'] = array('user_validate_current_password'); } if (!$register) { $form['account']['pass'] = array( Index: modules/user/user.pages.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/user/user.pages.inc,v retrieving revision 1.56 diff -u -p -r1.56 user.pages.inc --- modules/user/user.pages.inc 22 Sep 2009 07:50:16 -0000 1.56 +++ modules/user/user.pages.inc 26 Sep 2009 07:09:45 -0000 @@ -260,12 +260,6 @@ function user_profile_form_validate($for field_attach_form_validate('user', $edit, $form, $form_state); $edit = (array)$edit; user_module_invoke('validate', $edit, $form['#user'], $form['#user_category']); - // Validate input to ensure that non-privileged users can't alter protected data. - if ((!user_access('administer users') && array_intersect(array_keys($edit), array('uid', 'init', 'session'))) || (!user_access('administer permissions') && isset($form_state['values']['roles']))) { - watchdog('security', 'Detected malicious attempt to alter protected user fields.', array(), WATCHDOG_WARNING); - // set this to a value type field - form_set_error('category', t('Detected malicious attempt to alter protected user fields.')); - } } /**