Index: IQAuthHandler.java =================================================================== --- IQAuthHandler.java (revision 10999) +++ IQAuthHandler.java (working copy) @@ -139,14 +139,33 @@ } // If we're already logged in, this is a password reset - if (session.getStatus() == Session.STATUS_AUTHENTICATED) { - response = passwordReset(password, packet, username, session); + if (session.getStatus() == Session.STATUS_AUTHENTICATED + && session.getUsername().equalsIgnoreCase( + username)) + { + if (password != null + && !password.trim().isEmpty()) + { + response = passwordReset(password, packet, + username, session); + } + else + { + response = IQ.createResultIQ(packet); + response.setError(PacketError.Condition.not_allowed); + response.setType(IQ.Type.error); + } } - else { + else if (session.getStatus() != Session.STATUS_AUTHENTICATED) + { // it is an auth attempt response = login(username, query, packet, password, session, digest); resourceBound = session.getStatus() == Session.STATUS_AUTHENTICATED; } + else + { + throw new UnauthorizedException(); + } } } }