From 015c8d2f7b87950f21d6078299f5d0ab3ea1c5ea Mon Sep 17 00:00:00 2001
From: =?utf8?q?Felix=20D=C3=B6rre?= <felix@dogcraft.de>
Date: Sat, 14 Nov 2015 07:53:14 +0100
Subject: [PATCH] fix: correct order when consuming password reset token

---
 src/org/cacert/gigi/dbObjects/User.java | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/org/cacert/gigi/dbObjects/User.java b/src/org/cacert/gigi/dbObjects/User.java
index a7789866..e6afc796 100644
--- a/src/org/cacert/gigi/dbObjects/User.java
+++ b/src/org/cacert/gigi/dbObjects/User.java
@@ -512,13 +512,13 @@ public class User extends CertificateOwner {
             if ( !rs.next()) {
                 throw new GigiApiException("Token not found... very bad.");
             }
-            ps = DatabaseConnection.getInstance().prepare("UPDATE `passwordResetTickets` SET  `used` = CURRENT_TIMESTAMP WHERE `id`=?");
-            ps.setInt(1, id);
-            ps.executeUpdate();
             if (PasswordHash.verifyHash(private_token, rs.getString(1)) == null) {
                 throw new GigiApiException("Private token does not match.");
             }
             setPassword(newPassword);
+            ps = DatabaseConnection.getInstance().prepare("UPDATE `passwordResetTickets` SET  `used` = CURRENT_TIMESTAMP WHERE `id`=?");
+            ps.setInt(1, id);
+            ps.executeUpdate();
         }
     }
 
-- 
2.39.2