From 695ff9fe1c3fe713e169d888858fb1796d9cd949 Mon Sep 17 00:00:00 2001
From: Thomas Berezansky <tsbere@mvlc.org>
Date: Sat, 24 Sep 2011 16:51:20 -0400
Subject: [PATCH] Require password to change email/username

Alter backend to check password period, not just for password changes.
Add form elements for asking for current password to JSPac.
Add handling for said form elements where needed.

Signed-off-by: Thomas Berezansky <tsbere@mvlc.org>
Signed-off-by: Bill Erickson <berick@esilibrary.com>
---
 Open-ILS/src/perlmods/OpenILS/Application/Actor.pm | 22 ++++++++-----
 Open-ILS/web/opac/skin/default/js/myopac.js        |  6 ++--
 .../skin/default/xml/myopac/myopac_summary.xml     | 38 +++++++++++++++++-----
 3 files changed, 47 insertions(+), 19 deletions(-)

diff --git a/Open-ILS/src/perlmods/OpenILS/Application/Actor.pm b/Open-ILS/src/perlmods/OpenILS/Application/Actor.pm
index 7708d19960..f05d165e1e 100644
--- a/Open-ILS/src/perlmods/OpenILS/Application/Actor.pm
+++ b/Open-ILS/src/perlmods/OpenILS/Application/Actor.pm
@@ -1247,9 +1247,10 @@ __PACKAGE__->register_method(
         desc   => "Update the operator's username", 
         params => [
             { desc => 'Authentication token', type => 'string' },
-            { desc => 'New username',         type => 'string' }
+            { desc => 'New username',         type => 'string' },
+            { desc => 'Current password',     type => 'string' }
         ],
-        return => {desc => '1 on success, Event on error'}
+        return => {desc => '1 on success, Event on error or incorrect current password'}
     }
 );
 
@@ -1260,9 +1261,10 @@ __PACKAGE__->register_method(
         desc   => "Update the operator's email address", 
         params => [
             { desc => 'Authentication token', type => 'string' },
-            { desc => 'New email address',    type => 'string' }
+            { desc => 'New email address',    type => 'string' },
+            { desc => 'Current password',     type => 'string' }
         ],
-        return => {desc => '1 on success, Event on error'}
+        return => {desc => '1 on success, Event on error or incorrect current password'}
     }
 );
 
@@ -1275,12 +1277,14 @@ sub update_passwd {
         or return $e->die_event;
     my $api = $self->api_name;
 
+    # make sure the original password matches the in-database password
+    if (md5_hex($orig_pw) ne $db_user->passwd) {
+        $e->rollback;
+        return new OpenILS::Event('INCORRECT_PASSWORD');
+    }
+
     if( $api =~ /password/o ) {
-        # make sure the original password matches the in-database password
-        if (md5_hex($orig_pw) ne $db_user->passwd) {
-            $e->rollback;
-            return new OpenILS::Event('INCORRECT_PASSWORD');
-        }
+
         $db_user->passwd($new_val);
 
     } else {
diff --git a/Open-ILS/web/opac/skin/default/js/myopac.js b/Open-ILS/web/opac/skin/default/js/myopac.js
index 692a5f4cfd..d3d1dfbcd6 100644
--- a/Open-ILS/web/opac/skin/default/js/myopac.js
+++ b/Open-ILS/web/opac/skin/default/js/myopac.js
@@ -1052,6 +1052,7 @@ function myopacSaveAddress(row, addr, deleteMe) {
 
 function myOPACUpdateUsername() {
 	var username = $('myopac_new_username').value;
+	var curpassword = $('myopac_username_current_password').value;
 	if(username == null || username == "") {
 		alert($('myopac_username_error').innerHTML);
 		return;
@@ -1086,7 +1087,7 @@ function myOPACUpdateUsername() {
 		return;
 	}
 
-	var req = new Request(UPDATE_USERNAME, G.user.session, username );
+	var req = new Request(UPDATE_USERNAME, G.user.session, username, curpassword );
 	req.send(true);
 	if(req.result()) {
 
@@ -1110,12 +1111,13 @@ function myOPACUpdateUsername() {
 
 function myOPACUpdateEmail() {
 	var email = $('myopac_new_email').value;
+	var curpassword = $('myopac_email_current_password').value;
 	if(email == null || email == "") {
 		alert($('myopac_email_error').innerHTML);
 		return;
 	}
 
-	var req = new Request(UPDATE_EMAIL, G.user.session, email );
+	var req = new Request(UPDATE_EMAIL, G.user.session, email, curpassword );
 	req.send(true);
 	if(req.result()) {
 		G.user.email(email);
diff --git a/Open-ILS/web/opac/skin/default/xml/myopac/myopac_summary.xml b/Open-ILS/web/opac/skin/default/xml/myopac/myopac_summary.xml
index 40eda7f2ab..821f870db7 100644
--- a/Open-ILS/web/opac/skin/default/xml/myopac/myopac_summary.xml
+++ b/Open-ILS/web/opac/skin/default/xml/myopac/myopac_summary.xml
@@ -61,15 +61,26 @@
 				<td class='color_4 light_border'>&common.username;</td>
 				<td class='light_border' id='myopac_summary_username'> </td>
 				<td class='light_border'><a href='javascript:void(0);' 
-					onclick='unHideMe($("myopac_update_username_row"));$("myopac_new_username").focus();'
+					onclick='unHideMe($("myopac_update_username_row"));$("myopac_username_current_password").focus();'
 					id='myopac_summary_username_change' style='text-decoration: underline;'>&myopac.summary.change;</a></td>
 			</tr>
 
 			<tr id='myopac_update_username_row' class='hide_me'>
 				<td class='myopac_update_cell' colspan='3'>
-					<span class='myopac_update_span'>&myopac.summary.username.enter; </span>
-					<input type='text' size='24' id='myopac_new_username'
-						onkeydown='if(userPressedEnter(event)) myOPACUpdateUsername();' />
+
+					<table><tbody>
+						<tr>
+							<td><span class='myopac_update_span'>&myopac.summary.password.current; </span></td>
+							<td><input type='password' size='24' id='myopac_username_current_password'
+								onkeydown='if(userPressedEnter(event)) myOPACUpdateUsername();' /></td>
+						</tr>
+						<tr>
+							<td><span class='myopac_update_span'>&myopac.summary.username.enter; </span></td>
+							<td><input type='text' size='24' id='myopac_new_username'
+								onkeydown='if(userPressedEnter(event)) myOPACUpdateUsername();' /></td>
+						</tr>
+					</tbody></table>
+
 					<span class='myopac_update_span'>
 						<button onclick='myOPACUpdateUsername();'>&common.submit;</button>
 					</span>
@@ -122,15 +133,26 @@
 				<td class='color_4 light_border'>&myopac.summary.email;</td>
 				<td class='light_border' id='myopac_summary_email'> </td>
 				<td class='light_border'><a href='javascript:void(0);' 
-					onclick='unHideMe($("myopac_update_email_row"));$("myopac_new_email").focus();'
+					onclick='unHideMe($("myopac_update_email_row"));$("myopac_email_current_password").focus();'
 					id='myopac_summary_email_change' style='text-decoration: underline;'>&myopac.summary.change;</a></td>
 			</tr>
 
 			<tr id='myopac_update_email_row' class='hide_me'>
 				<td class='myopac_update_cell' colspan='3'>
-					<span class='myopac_update_span'>&myopac.summary.email.new; </span>
-					<input type='text' size='24' id='myopac_new_email'
-						onkeydown='if(userPressedEnter(event)) myOPACUpdateEmail();' />
+
+					<table><tbody>
+						<tr>
+							<td><span class='myopac_update_span'>&myopac.summary.password.current; </span></td>
+							<td><input type='password' size='24' id='myopac_email_current_password'
+								onkeydown='if(userPressedEnter(event)) myOPACUpdateEmail();' /></td>
+						</tr>
+						<tr>
+							<td><span class='myopac_update_span'>&myopac.summary.email.new; </span></td>
+							<td><input type='text' size='24' id='myopac_new_email'
+								onkeydown='if(userPressedEnter(event)) myOPACUpdateEmail();' /></td>
+						</tr>
+					</tbody></table>
+
 					<span class='myopac_update_span'>
 						<button onclick='myOPACUpdateEmail();'>&common.submit;</button>
 					</span>
-- 
2.11.0