--- loncom/interface/resetpw.pm	2009/10/08 22:59:18	1.21
+++ loncom/interface/resetpw.pm	2009/10/09 00:26:40	1.22
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Allow access to password changing via a token sent to user's e-mail. 
 #
-# $Id: resetpw.pm,v 1.21 2009/10/08 22:59:18 raeburn Exp $
+# $Id: resetpw.pm,v 1.22 2009/10/09 00:26:40 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -31,7 +31,7 @@
 
 =head1 NAME
 
-Apache::resetpw - pile of common routines
+Apache::resetpw: reset user password.
 
 =head1 SYNOPSIS
 
@@ -43,9 +43,8 @@ described at http://www.lon-capa.org.
 =head1 OVERVIEW
 
 A user with an e-mail address associated with his/her LON-CAPA username
-can reset a forgotten password, using a link sent to the e-mail address   
+can reset a forgotten password, using a link sent to the e-mail address
 if the authentication type for the account is "internal".
-account is "internal".
 
 =cut
 
@@ -277,6 +276,10 @@ sub reset_passwd {
         my $reqtime = &Apache::lonlocal::locallocaltime($data{'time'});
         if ($now - $data{'time'} < 7200) {
             if ($env{'form.action'} eq 'verify_and_change_pass') {
+                unless (($env{'form.uname'} eq $data{'username'}) && ($env{'form.udom'} eq $data{'domain'}) && ($env{'form.email'} eq $data{'email'})) {
+                    $msg = &generic_failure_msg($contact_name,$contact_email);
+                    return $msg;
+                }
                 my $change_failed = 
 		    &Apache::lonpreferences::verify_and_change_password($r,'reset_by_email',$token);
                 if (!$change_failed) {