rainlab · bennothommo · Jul 25, 2019 · Dec 10, 2017 · Dec 12, 2017 · Jul 3, 2019
diff --git a/components/Account.php b/components/Account.php
@@ -11,6 +11,7 @@
 use Validator;
 use ValidationException;
 use ApplicationException;
+use October\Rain\Auth\AuthException;
 use Cms\Classes\Page;
 use Cms\Classes\ComponentBase;
 use RainLab\User\Models\Settings as UserSettings;
@@ -70,6 +71,7 @@ public function prepareVars()
         $this->page['canRegister'] = $this->canRegister();
         $this->page['loginAttribute'] = $this->loginAttribute();
         $this->page['loginAttributeLabel'] = $this->loginAttributeLabel();
+        $this->page['updateRequiresPassword'] = $this->updateRequiresPassword();
         $this->page['rememberLoginMode'] = $this->rememberLoginMode();
     }
 
@@ -138,6 +140,14 @@ public function loginAttributeLabel()
         );
     }
 
+    /**
+     * Returns the update requires password setting
+     */
+    public function updateRequiresPassword()
+    {
+        return UserSettings::get('update_requires_password', false);
+    }
+
     /**
      * Returns the login remember mode.
      */
@@ -367,17 +377,25 @@ public function onUpdate()
             return;
         }
 
+        $data = post();
+
+        if ($this->updateRequiresPassword()) {
+            if (!$user->checkHashValue('password', $data['password_current'])) {
+                throw new ValidationException(['password_current' => Lang::get('rainlab.user::lang.account.invalid_current_pass')]);
+            }
+        }
+
         if (Input::hasFile('avatar')) {
             $user->avatar = Input::file('avatar');
         }
 
-        $user->fill(post());
+        $user->fill($data);
         $user->save();
 
         /*
          * Password has changed, reauthenticate the user
          */
-        if (strlen(post('password'))) {
+        if (strlen($data['password'])) {
             Auth::login($user->reload(), true);
         }
 

diff --git a/components/account/update.htm b/components/account/update.htm
@@ -20,6 +20,14 @@
         <input name="password_confirmation" type="password" class="form-control" id="accountPasswordConfirm">
     </div>
 
+    {% if updateRequiresPassword %}
+        <p>To change these details, please confirm your current password.</p>
+        <div class="form-group">
+            <label for="accountPasswordCurrent">Current Password <small class="text-danger">* required</small></label>
+            <input name="password_current" type="password" class="form-control" id="accountPasswordCurrent">
+        </div>
+    {% endif %}
+
     <button type="submit" class="btn btn-default">Save</button>
 
 {{ form_close() }}
diff --git a/lang/en/lang.php b/lang/en/lang.php
@@ -71,6 +71,7 @@
         'activation_tab' => 'Activation',
         'signin_tab' => 'Sign in',
         'registration_tab' => 'Registration',
+        'profile_tab' => 'Profile',
         'notifications_tab' => 'Notifications',
         'allow_registration' => 'Allow user registration',
         'allow_registration_comment' => 'If this is disabled users can only be created by administrators.',
@@ -97,6 +98,8 @@
         'remember_always' => 'Always',
         'remember_never' => 'Never',
         'remember_ask' => 'Ask the user on login',
+        'update_requires_password' => 'Confirm current password on update',
+        'update_requires_password_comment' => 'Require the current password of the user when changing their profile.'
     ],
     'user' => [
         'label' => 'User',
@@ -172,6 +175,7 @@
         'invalid_user' => 'A user was not found with the given credentials.',
         'invalid_activation_code' => 'Invalid activation code supplied.',
         'invalid_deactivation_pass' => 'The password you entered was invalid.',
+        'invalid_current_pass' => 'The current password you entered was invalid.',
         'success_activation' => 'Successfully activated your account.',
         'success_deactivation' => 'Successfully deactivated your account. Sorry to see you go!',
         'success_saved' => 'Settings successfully saved!',

diff --git a/models/Settings.php b/models/Settings.php
@@ -35,6 +35,7 @@ public function initSettingsData()
         $this->block_persistence = false;
         $this->allow_registration = true;
         $this->login_attribute = self::LOGIN_EMAIL;
+        $this->update_requires_password = false;
         $this->remember_login = self::REMEMBER_ALWAYS;
         $this->min_password_length = self::MIN_PASSWORD_LENGTH_DEFAULT;
     }

diff --git a/models/settings/fields.yaml b/models/settings/fields.yaml
@@ -68,3 +68,11 @@ tabs:
             label: rainlab.user::lang.settings.activate_mode
             type: radio
             tab: rainlab.user::lang.settings.activation_tab
+
+        # Require current password when editing profile
+        update_requires_password:
+            span: left
+            label: rainlab.user::lang.settings.update_requires_password
+            commentAbove: rainlab.user::lang.settings.update_requires_password_comment
+            type: switch
+            tab: rainlab.user::lang.settings.profile_tab