Require password for fallback email change

src/routes/profile.js

@@ -64,6 +64,14 @@ async function update(req, res, next) {
 
     const data = _.pick(req.body, 'email', 'fallbackEmail', 'displayName');
 
+    // for fallbackEmail we check the password
+    if (data.fallbackEmail) {
+        if (!req.body.password || typeof req.body.password !== 'string') return next(new HttpError(400, 'password must be non empty string'));
+
+        const [verifyError] = await safe(users.verify(req.user.id, req.body.password, users.AP_WEBADMIN));
+        if (verifyError) return next(BoxError.toHttpError(verifyError));
+    }
+
     const [error] = await safe(users.update(req.user, data, auditSource.fromRequest(req)));
     if (error) return next(BoxError.toHttpError(error));