From c4f476cdca63690a5afb211e61b11d93359ca31e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Tue, 14 Jun 2016 09:34:28 +0200
Subject: [PATCH] misc: require user to be logged in to access password change
 view (#11318)

---
 src/authentic2/profile_urls.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/authentic2/profile_urls.py b/src/authentic2/profile_urls.py
index c5b8755..d1a66e1 100644
--- a/src/authentic2/profile_urls.py
+++ b/src/authentic2/profile_urls.py
@@ -1,9 +1,11 @@
 from django.conf.urls import patterns, url
 from django.contrib.auth import views as auth_views, REDIRECT_FIELD_NAME
+from django.contrib.auth.decorators import login_required
 from django.core.urlresolvers import reverse
 from django.http import HttpResponseRedirect
 from django.contrib import messages
 from django.utils.translation import ugettext as _
+from django.views.decorators.debug import sensitive_post_parameters
 
 from authentic2.utils import import_module_or_class, redirect
 from . import app_settings, decorators, profile_views
@@ -13,6 +15,8 @@ SET_PASSWORD_FORM_CLASS = import_module_or_class(
 CHANGE_PASSWORD_FORM_CLASS = import_module_or_class(
         app_settings.A2_REGISTRATION_CHANGE_PASSWORD_FORM_CLASS)
 
+@sensitive_post_parameters()
+@login_required
 @decorators.setting_enabled('A2_REGISTRATION_CAN_CHANGE_PASSWORD')
 def password_change_view(request, *args, **kwargs):
     post_change_redirect = kwargs.pop('post_change_redirect', None)
-- 
2.8.1