From 6d4c3632a3993c14483f729d8b85d64388c7518f Mon Sep 17 00:00:00 2001
From: Thomas Berezansky <tsbere@mvlc.org>
Date: Sat, 24 Sep 2011 16:51:20 -0400
Subject: [PATCH] Require password to change email/username

Alter backend to check password period, not just for password changes.
Add form elements for asking for current password to JSPac.
Add handling for said form elements where needed.

Signed-off-by: Thomas Berezansky <tsbere@mvlc.org>
Signed-off-by: Bill Erickson <berick@esilibrary.com>
---
 .../src/perlmods/lib/OpenILS/Application/Actor.pm  | 22 ++++++++-----
 Open-ILS/web/opac/skin/default/js/myopac.js        |  6 ++--
 .../skin/default/xml/myopac/myopac_summary.xml     | 38 +++++++++++++++++-----
 3 files changed, 47 insertions(+), 19 deletions(-)

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
index 90ba288c59..1f96787fce 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
@@ -1254,9 +1254,10 @@ __PACKAGE__->register_method(
         desc   => "Update the operator's username", 
         params => [
             { desc => 'Authentication token', type => 'string' },
-            { desc => 'New username',         type => 'string' }
+            { desc => 'New username',         type => 'string' },
+            { desc => 'Current password',     type => 'string' }
         ],
-        return => {desc => '1 on success, Event on error'}
+        return => {desc => '1 on success, Event on error or incorrect current password'}
     }
 );
 
@@ -1267,9 +1268,10 @@ __PACKAGE__->register_method(
         desc   => "Update the operator's email address", 
         params => [
             { desc => 'Authentication token', type => 'string' },
-            { desc => 'New email address',    type => 'string' }
+            { desc => 'New email address',    type => 'string' },
+            { desc => 'Current password',     type => 'string' }
         ],
-        return => {desc => '1 on success, Event on error'}
+        return => {desc => '1 on success, Event on error or incorrect current password'}
     }
 );
 
@@ -1282,12 +1284,14 @@ sub update_passwd {
         or return $e->die_event;
     my $api = $self->api_name;
 
+    # make sure the original password matches the in-database password
+    if (md5_hex($orig_pw) ne $db_user->passwd) {
+        $e->rollback;
+        return new OpenILS::Event('INCORRECT_PASSWORD');
+    }
+
     if( $api =~ /password/o ) {
-        # make sure the original password matches the in-database password
-        if (md5_hex($orig_pw) ne $db_user->passwd) {
-            $e->rollback;
-            return new OpenILS::Event('INCORRECT_PASSWORD');
-        }
+
         $db_user->passwd($new_val);
 
     } else {
diff --git a/Open-ILS/web/opac/skin/default/js/myopac.js b/Open-ILS/web/opac/skin/default/js/myopac.js
index 12fbaf1828..638ed08241 100644
--- a/Open-ILS/web/opac/skin/default/js/myopac.js
+++ b/Open-ILS/web/opac/skin/default/js/myopac.js
@@ -1057,6 +1057,7 @@ function myopacSaveAddress(row, addr, deleteMe) {
 
 function myOPACUpdateUsername() {
 	var username = $('myopac_new_username').value;
+	var curpassword = $('myopac_username_current_password').value;
 	if(username == null || username == "") {
 		alert($('myopac_username_error').innerHTML);
 		return;
@@ -1091,7 +1092,7 @@ function myOPACUpdateUsername() {
 		return;
 	}
 
-	var req = new Request(UPDATE_USERNAME, G.user.session, username );
+	var req = new Request(UPDATE_USERNAME, G.user.session, username, curpassword );
 	req.send(true);
 	if(req.result()) {
 
@@ -1115,12 +1116,13 @@ function myOPACUpdateUsername() {
 
 function myOPACUpdateEmail() {
 	var email = $('myopac_new_email').value;
+	var curpassword = $('myopac_email_current_password').value;
 	if(email == null || email == "") {
 		alert($('myopac_email_error').innerHTML);
 		return;
 	}
 
-	var req = new Request(UPDATE_EMAIL, G.user.session, email );
+	var req = new Request(UPDATE_EMAIL, G.user.session, email, curpassword );
 	req.send(true);
 	if(req.result()) {
 		G.user.email(email);
diff --git a/Open-ILS/web/opac/skin/default/xml/myopac/myopac_summary.xml b/Open-ILS/web/opac/skin/default/xml/myopac/myopac_summary.xml
index 40eda7f2ab..821f870db7 100644
--- a/Open-ILS/web/opac/skin/default/xml/myopac/myopac_summary.xml
+++ b/Open-ILS/web/opac/skin/default/xml/myopac/myopac_summary.xml
@@ -61,15 +61,26 @@
 				<td class='color_4 light_border'>&common.username;</td>
 				<td class='light_border' id='myopac_summary_username'> </td>
 				<td class='light_border'><a href='javascript:void(0);' 
-					onclick='unHideMe($("myopac_update_username_row"));$("myopac_new_username").focus();'
+					onclick='unHideMe($("myopac_update_username_row"));$("myopac_username_current_password").focus();'
 					id='myopac_summary_username_change' style='text-decoration: underline;'>&myopac.summary.change;</a></td>
 			</tr>
 
 			<tr id='myopac_update_username_row' class='hide_me'>
 				<td class='myopac_update_cell' colspan='3'>
-					<span class='myopac_update_span'>&myopac.summary.username.enter; </span>
-					<input type='text' size='24' id='myopac_new_username'
-						onkeydown='if(userPressedEnter(event)) myOPACUpdateUsername();' />
+
+					<table><tbody>
+						<tr>
+							<td><span class='myopac_update_span'>&myopac.summary.password.current; </span></td>
+							<td><input type='password' size='24' id='myopac_username_current_password'
+								onkeydown='if(userPressedEnter(event)) myOPACUpdateUsername();' /></td>
+						</tr>
+						<tr>
+							<td><span class='myopac_update_span'>&myopac.summary.username.enter; </span></td>
+							<td><input type='text' size='24' id='myopac_new_username'
+								onkeydown='if(userPressedEnter(event)) myOPACUpdateUsername();' /></td>
+						</tr>
+					</tbody></table>
+
 					<span class='myopac_update_span'>
 						<button onclick='myOPACUpdateUsername();'>&common.submit;</button>
 					</span>
@@ -122,15 +133,26 @@
 				<td class='color_4 light_border'>&myopac.summary.email;</td>
 				<td class='light_border' id='myopac_summary_email'> </td>
 				<td class='light_border'><a href='javascript:void(0);' 
-					onclick='unHideMe($("myopac_update_email_row"));$("myopac_new_email").focus();'
+					onclick='unHideMe($("myopac_update_email_row"));$("myopac_email_current_password").focus();'
 					id='myopac_summary_email_change' style='text-decoration: underline;'>&myopac.summary.change;</a></td>
 			</tr>
 
 			<tr id='myopac_update_email_row' class='hide_me'>
 				<td class='myopac_update_cell' colspan='3'>
-					<span class='myopac_update_span'>&myopac.summary.email.new; </span>
-					<input type='text' size='24' id='myopac_new_email'
-						onkeydown='if(userPressedEnter(event)) myOPACUpdateEmail();' />
+
+					<table><tbody>
+						<tr>
+							<td><span class='myopac_update_span'>&myopac.summary.password.current; </span></td>
+							<td><input type='password' size='24' id='myopac_email_current_password'
+								onkeydown='if(userPressedEnter(event)) myOPACUpdateEmail();' /></td>
+						</tr>
+						<tr>
+							<td><span class='myopac_update_span'>&myopac.summary.email.new; </span></td>
+							<td><input type='text' size='24' id='myopac_new_email'
+								onkeydown='if(userPressedEnter(event)) myOPACUpdateEmail();' /></td>
+						</tr>
+					</tbody></table>
+
 					<span class='myopac_update_span'>
 						<button onclick='myOPACUpdateEmail();'>&common.submit;</button>
 					</span>
-- 
2.11.0