From 8f728500d480dc30c18bdce701b99ebe7b6b15ba Mon Sep 17 00:00:00 2001
From: Jorge Colmenarez <jlct.master@gmail.com>
Date: Mon, 24 Apr 2017 13:51:25 -0400
Subject: [PATCH] Verify current password before change password

---
 application/controllers/Employees.php      | 49 +++++++++++++++-------
 application/language/en/employees_lang.php |  2 +
 application/language/es/employees_lang.php |  2 +
 application/models/Employee.php            |  2 +-
 application/views/change_password.php      | 18 +++++---
 5 files changed, 52 insertions(+), 21 deletions(-)

diff --git a/application/controllers/Employees.php b/application/controllers/Employees.php
index 35fe15eb3..2bbace9ea 100644
--- a/application/controllers/Employees.php
+++ b/application/controllers/Employees.php
@@ -94,25 +94,31 @@ class Employees extends Persons
 	{
 		if($this->input->post('current_password') != '')
 		{
-			$employee_data = array(
-				'username' => $this->input->post('username'),
-				'password' => password_hash($this->input->post('password'), PASSWORD_DEFAULT),
-				'hash_version' => 2
-			);
-			
-			if($this->Employee->change_password($employee_data, $employee_id))
+			if($this->_check_password($employee_id,$this->input->post('current_password')))
 			{
-				$employee_data = $this->xss_clean($employee_data);
+				$employee_data = array(
+					'username' => $this->input->post('username'),
+					'password' => password_hash($this->input->post('password'), PASSWORD_DEFAULT),
+					'hash_version' => 2
+				);
+				
+				if($this->Employee->change_password($employee_data, $employee_id))
+				{
+					$employee_data = $this->xss_clean($employee_data);
 
-				echo json_encode(array('success' => TRUE, 'message' => $this->lang->line('employees_successful_change_password').' '.
-									$person_data['first_name'].' '.$person_data['last_name'], 'id' => $employee_id));
+					echo json_encode(array('success' => TRUE, 'message' => $this->lang->line('employees_successful_change_password').' '.
+										$person_data['first_name'].' '.$person_data['last_name'], 'id' => $employee_id));
+				}
+				else//failure
+				{
+					echo json_encode(array('success' => FALSE, 'message' => $this->lang->line('employees_successful_change_password').' '.
+									$person_data['first_name'].' '.$person_data['last_name'], 'id' => -1));
+				}
 			}
-			else//failure
+			else
 			{
-				$person_data = $this->xss_clean($person_data);
-
-				echo json_encode(array('success' => FALSE, 'message' => $this->lang->line('employees_successful_change_password').' '.
-								$person_data['first_name'].' '.$person_data['last_name'], 'id' => -1));
+				echo json_encode(array('success' => FALSE, 'message' => $this->lang->line('employees_current_password_invalid').' '.
+									$person_data['first_name'].' '.$person_data['last_name'], 'id' => -1));
 			}
 		}
 		else
@@ -206,5 +212,18 @@ class Employees extends Persons
 
 		$this->load->view("change_password", $data);
 	}
+
+	private function _check_password($employee_id,$password)
+	{
+		$person_info = $this->Employee->get_info($employee_id);
+		if(password_verify($password, $person_info->password))
+		{
+			return TRUE;
+		}
+		else
+		{
+			return FALSE;
+		}
+	}
 }
 ?>
\ No newline at end of file
diff --git a/application/language/en/employees_lang.php b/application/language/en/employees_lang.php
index 6583fe3c9..360d2b8a1 100644
--- a/application/language/en/employees_lang.php
+++ b/application/language/en/employees_lang.php
@@ -5,6 +5,7 @@ $lang["employees_cannot_be_deleted"] = "Could not deleted selected employees, on
 $lang["employees_change_password"] = "Change Password";
 $lang["employees_confirm_delete"] = "Are you sure you want to delete the selected employees?";
 $lang["employees_current_password"] = "Current Password";
+$lang["employees_current_password_invalid"] = "Invalid Current Password";
 $lang["employees_employee"] = "Employee";
 $lang["employees_error_adding_updating"] = "Error adding/updating employee";
 $lang["employees_error_deleting_demo_admin"] = "You can not delete the demo admin user";
@@ -16,6 +17,7 @@ $lang["employees_one_or_multiple"] = "employee(s)";
 $lang["employees_password"] = "Password";
 $lang["employees_password_minlength"] = "Passwords must be at least 8 characters";
 $lang["employees_password_must_match"] = "Passwords do not match";
+$lang["employees_password_not_must_match"] = "Current password and new password should not be the same";
 $lang["employees_password_required"] = "Password is required";
 $lang["employees_permission_desc"] = "Check the boxes below to grant access to modules";
 $lang["employees_permission_info"] = "Permissions";
diff --git a/application/language/es/employees_lang.php b/application/language/es/employees_lang.php
index ea2e37fa1..245cecb7c 100644
--- a/application/language/es/employees_lang.php
+++ b/application/language/es/employees_lang.php
@@ -5,6 +5,7 @@ $lang["employees_cannot_be_deleted"] = "No se pudieron borrar empleados. Uno o m
 $lang["employees_change_password"] = "Cambiar Contraseña";
 $lang["employees_confirm_delete"] = "¿Seguro(a) que quieres borrar los empleados seleccionados?";
 $lang["employees_current_password"] = "Contraseña Actual";
+$lang["employees_current_password_invalid"] = "Contraseña Actual Inválida";
 $lang["employees_employee"] = "Empleado";
 $lang["employees_error_adding_updating"] = "Error al agregar/actualizar empleado";
 $lang["employees_error_deleting_demo_admin"] = "No puedes borrar el usuario admin del demo";
@@ -16,6 +17,7 @@ $lang["employees_one_or_multiple"] = "empleado(s)";
 $lang["employees_password"] = "Contraseña";
 $lang["employees_password_minlength"] = "La contraseña debe tener, por lo menos, 8 caracteres";
 $lang["employees_password_must_match"] = "Las Contraseñas no coinciden";
+$lang["employees_password_not_must_match"] = "Las contraseña actual y la nueva contraseña no deben ser iguales";
 $lang["employees_password_required"] = "La Contraseña es requerida";
 $lang["employees_permission_desc"] = "Activa las cajas debajo para permitir el acceso a los módulos";
 $lang["employees_permission_info"] = "Permisos y Acceso del Empleado";
diff --git a/application/models/Employee.php b/application/models/Employee.php
index 4b13692a0..56f999a68 100644
--- a/application/models/Employee.php
+++ b/application/models/Employee.php
@@ -414,7 +414,7 @@ class Employee extends Person
 	/*
 	Change password for the employee
 	*/
-	public function change_password(&$employee_data, $employee_id = FALSE)
+	public function change_password($employee_data, $employee_id = FALSE)
 	{
 		$success = FALSE;
 
diff --git a/application/views/change_password.php b/application/views/change_password.php
index f16a9937b..c61c57627 100644
--- a/application/views/change_password.php
+++ b/application/views/change_password.php
@@ -32,9 +32,7 @@
 							<?php echo form_password(array(
 									'name'=>'current_password',
 									'id'=>'current_password',
-									'class'=>'form-control input-sm',
-									'value'=>$person_info->password,
-									'readonly'=>'true')
+									'class'=>'form-control input-sm')
 									);?>
 						</div>
 					</div>
@@ -77,6 +75,10 @@
 $(document).ready(function()
 {
 	$.validator.setDefaults({ ignore: [] });
+
+	$.validator.addMethod("notEqualTo", function(value, element, param) {
+		return this.optional(element) || value != $(param).val();
+	}, '<?php echo $this->lang->line('employees_password_not_must_match'); ?>');
 	
 	$('#employee_form').validate($.extend({
 		submitHandler:function(form) 
@@ -91,11 +93,17 @@ $(document).ready(function()
 			});
 		},
 		rules:
-		{			
-			password:
+		{
+			current_password:
 			{
 				required:true,
 				minlength: 8
+			},
+			password:
+			{
+				required:true,
+				minlength: 8,
+				notEqualTo: "#current_password"
 			},	
 			repeat_password:
 			{