From a53c313878d04b71b383af7e5d013f30f07ae1e2 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Thu, 10 Nov 2016 17:18:12 +0100
Subject: [PATCH] Require password confirmation to change the Quota

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 settings/ajax/setquota.php |  7 +++++++
 settings/js/users/users.js | 15 ++++++++++++---
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/settings/ajax/setquota.php b/settings/ajax/setquota.php
index eee1de407b..0906102ec2 100644
--- a/settings/ajax/setquota.php
+++ b/settings/ajax/setquota.php
@@ -32,6 +32,13 @@
 OC_JSON::checkSubAdminUser();
 OCP\JSON::callCheck();
 
+$lastConfirm = (int) \OC::$server->getSession()->get('last-password-confirm');
+if ($lastConfirm < (time() - 30 * 60 + 15)) { // allow 15 seconds delay
+	$l = \OC::$server->getL10N('core');
+	OC_JSON::error(array( 'data' => array( 'message' => $l->t('Password confirmation is required'))));
+	exit();
+}
+
 $username = isset($_POST["username"]) ? (string)$_POST["username"] : '';
 
 $isUserAccessible = false;
diff --git a/settings/js/users/users.js b/settings/js/users/users.js
index c2f1eb3c00..6847f06a8b 100644
--- a/settings/js/users/users.js
+++ b/settings/js/users/users.js
@@ -539,7 +539,7 @@ var UserList = {
 			OC.Notification.showTemporary(t('core', 'Invalid quota value "{val}"', {val: quota}));
 			return;
 		}
-		UserList._updateQuota(uid, quota, function(returnedQuota){
+		UserList._updateQuota(uid, quota, function(returnedQuota) {
 			if (quota !== returnedQuota) {
 				$select.find(':selected').text(returnedQuota);
 			}
@@ -553,12 +553,21 @@ var UserList = {
 	 * @param {Function} ready callback after save
 	 */
 	_updateQuota: function(uid, quota, ready) {
+		if (OC.PasswordConfirmation.requiresPasswordConfirmation()) {
+			OC.PasswordConfirmation.requirePasswordConfirmation(_.bind(this._updateQuota, this, uid, quota, ready));
+			return;
+		}
+
 		$.post(
 			OC.filePath('settings', 'ajax', 'setquota.php'),
 			{username: uid, quota: quota},
 			function (result) {
-				if (ready) {
-					ready(result.data.quota);
+				if (result.status === 'error') {
+					OC.Notification.showTemporary(result.data.message);
+				} else {
+					if (ready) {
+						ready(result.data.quota);
+					}
 				}
 			}
 		);