3 files changed, 13 insertions, 3 deletions

diff --git a/app.py b/app.py
index 367ec0f..2754b96 100644
--- a/app.py
+++ b/app.py
@@ -216,7 +216,7 @@ def settings():
                 changed = True
 
             if form.password.data:
-                g.user.change_password(form.password.data, decrypt_password(session['password']))
+                g.user.change_password(form.password.data, form.old_password.data)
                 session['password'] = encrypt_password(form.password.data)
 
                 flash(u'Passwort geändert', 'success')
diff --git a/forms.py b/forms.py
index 09bee81..59da874 100644
--- a/forms.py
+++ b/forms.py
@@ -1,10 +1,10 @@
 # -*- coding: utf-8 -*-
 from account import SERVICES, NoSuchUserError
-from flask import g, current_app, url_for, Markup
+from flask import g, current_app, session, url_for, Markup
 from flask.ext.wtf import Form, validators, TextField, PasswordField,\
                           ValidationError, BooleanField
 from functools import partial
-from utils import _username_re
+from utils import _username_re, decrypt_password
 
 
 username = partial(TextField, 'Benutzername', [validators.Regexp(_username_re,
@@ -63,11 +63,19 @@ class LostPasswordForm(Form):
 
 
 class SettingsForm(Form):
+    old_password = PasswordField('Altes Passwort')
     password = PasswordField('Neues Passwort', [validators.Optional(),
                                                 validators.EqualTo('password_confirm', message=u'Passwörter stimmen nicht überein')])
     password_confirm = PasswordField(u'Passwort bestätigen')
     mail = TextField('E-Mail-Adresse', [validators.Optional(), validators.Email(), validators.Length(min=6, max=50)])
 
+    def validate_old_password(form, field):
+        if form.password.data:
+            if not field.data:
+                raise ValidationError(u'Gib bitte dein altes Passwort ein, um ein neues zu setzen.')
+            if field.data != decrypt_password(session['password']):
+                raise ValidationError(u'Altes Passwort ist falsch.')
+
     def validate_mail(form, field):
         results = g.ldap.find_by_mail(field.data)
         for user in results:
diff --git a/templates/settings.html b/templates/settings.html
index c91d978..c0854e5 100644
--- a/templates/settings.html
+++ b/templates/settings.html
@@ -5,6 +5,8 @@
 <form action="{{ url_for('settings') }}" method="post" class="form-horizontal">
   <h2>Globale Einstellungen ändern</h2>
   {{ render_field(form.mail) }}
+  <p></p>
+  {{ render_field(form.old_password) }}
   {{ render_field(form.password) }}
   {{ render_field(form.password_confirm) }}
   {{ render_csrf(form) }}