Alter backend to check password period, not just for password changes.
Add form elements for asking for current password to JSPac and TPac.
Add handling for said form elements where needed.
Add handling for "incorrect password" events in TPac.
Signed-off-by: Thomas Berezansky <tsbere@mvlc.org>
Signed-off-by: Bill Erickson <berick@esilibrary.com>
desc => "Update the operator's username",
params => [
{ desc => 'Authentication token', type => 'string' },
- { desc => 'New username', type => 'string' }
+ { desc => 'New username', type => 'string' },
+ { desc => 'Current password', type => 'string' }
],
- return => {desc => '1 on success, Event on error'}
+ return => {desc => '1 on success, Event on error or incorrect current password'}
}
);
desc => "Update the operator's email address",
params => [
{ desc => 'Authentication token', type => 'string' },
- { desc => 'New email address', type => 'string' }
+ { desc => 'New email address', type => 'string' },
+ { desc => 'Current password', type => 'string' }
],
- return => {desc => '1 on success, Event on error'}
+ return => {desc => '1 on success, Event on error or incorrect current password'}
}
);
or return $e->die_event;
my $api = $self->api_name;
+ # make sure the original password matches the in-database password
+ if (md5_hex($orig_pw) ne $db_user->passwd) {
+ $e->rollback;
+ return new OpenILS::Event('INCORRECT_PASSWORD');
+ }
+
if( $api =~ /password/o ) {
- # make sure the original password matches the in-database password
- if (md5_hex($orig_pw) ne $db_user->passwd) {
- $e->rollback;
- return new OpenILS::Event('INCORRECT_PASSWORD');
- }
+
$db_user->passwd($new_val);
} else {
my $e = $self->editor;
my $ctx = $self->ctx;
my $email = $self->cgi->param('email') || '';
+ my $current_pw = $self->cgi->param('current_pw') || '';
# needed for most up-to-date email address
if (my $r = $self->prepare_extended_user_info) { return $r };
my $stat = $U->simplereq(
'open-ils.actor',
'open-ils.actor.user.email.update',
- $e->authtoken, $email);
+ $e->authtoken, $email, $current_pw);
+
+ if($U->event_equals($stat, 'INCORRECT_PASSWORD')) {
+ $ctx->{password_incorrect} = 1;
+ return Apache2::Const::OK;
+ }
unless ($self->cgi->param("redirect_to")) {
my $url = $self->apache->unparsed_uri;
my $e = $self->editor;
my $ctx = $self->ctx;
my $username = $self->cgi->param('username') || '';
+ my $current_pw = $self->cgi->param('current_pw') || '';
return Apache2::Const::OK
unless $self->cgi->request_method eq 'POST';
my $evt = $U->simplereq(
'open-ils.actor',
'open-ils.actor.user.username.update',
- $e->authtoken, $username);
+ $e->authtoken, $username, $current_pw);
+
+ if($U->event_equals($evt, 'INCORRECT_PASSWORD')) {
+ $ctx->{password_incorrect} = 1;
+ return Apache2::Const::OK;
+ }
if($U->event_equals($evt, 'USERNAME_EXISTS')) {
$ctx->{username_exists} = $username;
[% bad_email = ctx.invalid_email | html %]
[% l('The email address "<b>[_1]</b>" is invalid. Please try a different email address.', bad_email) %]
</div>
+
+[% ELSIF ctx.password_incorrect %]
+ <div id='account-update-email-error'>
+ [% |l %] Your current password was not correct. [% END %]
+ </div>
+
[% END %]
<form method='POST' id='account-update-email'>
[% END %]
<table>
<tr><td>[% l('Current Email') %]</td><td>[% ctx.user.email | html %]</td></tr>
+ <tr><td>[% l('Current Password') %]</td><td><input type='password' name='current_pw'/></td></tr>
<tr><td>[% l('New Email') %]</td><td><input type='text' name='email' value='[% ctx.invalid_email | html %]'/></td></tr>
<tr><td colspan='2' align='center'><input value="[% l('Submit') %]" type='submit'/></td></tr>
</table>
The username "<b>[_1]</b>" is taken. Please try a different username.
[% END %]
</div>
+
+[% ELSIF ctx.password_incorrect %]
+ <div id='account-update-email-error'>
+ [% |l %] Your current password was not correct. [% END %]
+ </div>
+
[% END %]
<form method='POST' id='account-update-email'>
<table>
<tr><td>[% l('Current Username') %]</td><td>[% ctx.user.usrname | html %]</td></tr>
+ <tr><td>[% l('Current Password') %]</td><td><input type='password' name='current_pw'/></td></tr>
<tr><td>[% l('New Username') %]</td><td><input type='text' name='username' value='[% ctx.invalid_username | html %]'/></td></tr>
<tr><td colspan='2' align='center'><input value="[% l('Submit') %]" type='submit'/></td></tr>
</table>
function myOPACUpdateUsername() {
var username = $('myopac_new_username').value;
+ var curpassword = $('myopac_username_current_password').value;
if(username == null || username == "") {
alert($('myopac_username_error').innerHTML);
return;
return;
}
- var req = new Request(UPDATE_USERNAME, G.user.session, username );
+ var req = new Request(UPDATE_USERNAME, G.user.session, username, curpassword );
req.send(true);
if(req.result()) {
function myOPACUpdateEmail() {
var email = $('myopac_new_email').value;
+ var curpassword = $('myopac_email_current_password').value;
if(email == null || email == "") {
alert($('myopac_email_error').innerHTML);
return;
}
- var req = new Request(UPDATE_EMAIL, G.user.session, email );
+ var req = new Request(UPDATE_EMAIL, G.user.session, email, curpassword );
req.send(true);
if(req.result()) {
G.user.email(email);
<td class='color_4 light_border'>&common.username;</td>
<td class='light_border' id='myopac_summary_username'> </td>
<td class='light_border'><a href='javascript:void(0);'
- onclick='unHideMe($("myopac_update_username_row"));$("myopac_new_username").focus();'
+ onclick='unHideMe($("myopac_update_username_row"));$("myopac_username_current_password").focus();'
id='myopac_summary_username_change' style='text-decoration: underline;'>&myopac.summary.change;</a></td>
</tr>
<tr id='myopac_update_username_row' class='hide_me'>
<td class='myopac_update_cell' colspan='3'>
- <span class='myopac_update_span'>&myopac.summary.username.enter; </span>
- <input type='text' size='24' id='myopac_new_username'
- onkeydown='if(userPressedEnter(event)) myOPACUpdateUsername();' />
+
+ <table><tbody>
+ <tr>
+ <td><span class='myopac_update_span'>&myopac.summary.password.current; </span></td>
+ <td><input type='password' size='24' id='myopac_username_current_password'
+ onkeydown='if(userPressedEnter(event)) myOPACUpdateUsername();' /></td>
+ </tr>
+ <tr>
+ <td><span class='myopac_update_span'>&myopac.summary.username.enter; </span></td>
+ <td><input type='text' size='24' id='myopac_new_username'
+ onkeydown='if(userPressedEnter(event)) myOPACUpdateUsername();' /></td>
+ </tr>
+ </tbody></table>
+
<span class='myopac_update_span'>
<button onclick='myOPACUpdateUsername();'>&common.submit;</button>
</span>
<td class='color_4 light_border'>&myopac.summary.email;</td>
<td class='light_border' id='myopac_summary_email'> </td>
<td class='light_border'><a href='javascript:void(0);'
- onclick='unHideMe($("myopac_update_email_row"));$("myopac_new_email").focus();'
+ onclick='unHideMe($("myopac_update_email_row"));$("myopac_email_current_password").focus();'
id='myopac_summary_email_change' style='text-decoration: underline;'>&myopac.summary.change;</a></td>
</tr>
<tr id='myopac_update_email_row' class='hide_me'>
<td class='myopac_update_cell' colspan='3'>
- <span class='myopac_update_span'>&myopac.summary.email.new; </span>
- <input type='text' size='24' id='myopac_new_email'
- onkeydown='if(userPressedEnter(event)) myOPACUpdateEmail();' />
+
+ <table><tbody>
+ <tr>
+ <td><span class='myopac_update_span'>&myopac.summary.password.current; </span></td>
+ <td><input type='password' size='24' id='myopac_email_current_password'
+ onkeydown='if(userPressedEnter(event)) myOPACUpdateEmail();' /></td>
+ </tr>
+ <tr>
+ <td><span class='myopac_update_span'>&myopac.summary.email.new; </span></td>
+ <td><input type='text' size='24' id='myopac_new_email'
+ onkeydown='if(userPressedEnter(event)) myOPACUpdateEmail();' /></td>
+ </tr>
+ </tbody></table>
+
<span class='myopac_update_span'>
<button onclick='myOPACUpdateEmail();'>&common.submit;</button>
</span>
projects / contrib / Conifer.git / commitdiff