require user password before transferring an alias (#1070)

2022-06-10 15:50:44 +02:00 · 2022-06-10 15:50:44 +02:00 · a0a92a7562
parent 0afd414a66
commit a0a92a7562
2 changed files with 4 additions and 2 deletions
--- a/app/dashboard/views/alias_transfer.py
+++ b/app/dashboard/views/alias_transfer.py
@ -5,6 +5,7 @@ from flask_login import login_required, current_user

 from app.config import URL
 from app.dashboard.base import dashboard_bp
+from app.dashboard.views.enter_sudo import sudo_required
 from app.db import Session
 from app.email_utils import send_email, render
 from app.extensions import limiter
@ -77,6 +78,7 @@ def transfer(alias, new_user, new_mailboxes: [Mailbox]):

@dashboard_bp.route("/alias_transfer/send/<int:alias_id>/", methods=["GET", "POST"])
@login_required
+@sudo_required
 def alias_transfer_send_route(alias_id):
    alias = Alias.get(alias_id)
    if not alias or alias.user_id != current_user.id:
--- a/templates/dashboard/enter_sudo.html
+++ b/templates/dashboard/enter_sudo.html
@ -10,10 +10,10 @@
    <div class="card-body">
      <h1 class="h2">Entering Sudo Mode</h1>
      <p>
-        You are trying to change sensitive settings
+        The next page contains security related setting.
      </p>
      <p>
-        Please enter the password of your account so that we can ensure it's you.
+        Please enter your account password so that we can ensure it's you.
      </p>

      <form method="post">