From 0d181b644230dc82ce9dfcb5b16e59276a3a1f5d Mon Sep 17 00:00:00 2001 From: Thomas Berezansky Date: Sat, 24 Sep 2011 16:51:20 -0400 Subject: [PATCH] Require password to change email/username Alter backend to check password period, not just for password changes. Add form elements for asking for current password to JSPac and TPac. Add handling for said form elements where needed. Add handling for "incorrect password" events in TPac. Signed-off-by: Thomas Berezansky Signed-off-by: Bill Erickson --- .../perlmods/lib/OpenILS/Application/Actor.pm | 22 ++++++----- .../lib/OpenILS/WWW/EGCatLoader/Account.pm | 16 +++++++- .../templates/opac/myopac/update_email.tt2 | 7 ++++ .../templates/opac/myopac/update_username.tt2 | 7 ++++ Open-ILS/web/opac/skin/default/js/myopac.js | 6 ++- .../default/xml/myopac/myopac_summary.xml | 38 +++++++++++++++---- 6 files changed, 75 insertions(+), 21 deletions(-) diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm index 4710d814c0..ebb56a15d1 100644 --- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm +++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm @@ -1259,9 +1259,10 @@ __PACKAGE__->register_method( desc => "Update the operator's username", params => [ { desc => 'Authentication token', type => 'string' }, - { desc => 'New username', type => 'string' } + { desc => 'New username', type => 'string' }, + { desc => 'Current password', type => 'string' } ], - return => {desc => '1 on success, Event on error'} + return => {desc => '1 on success, Event on error or incorrect current password'} } ); @@ -1272,9 +1273,10 @@ __PACKAGE__->register_method( desc => "Update the operator's email address", params => [ { desc => 'Authentication token', type => 'string' }, - { desc => 'New email address', type => 'string' } + { desc => 'New email address', type => 'string' }, + { desc => 'Current password', type => 'string' } ], - return => {desc => '1 on success, Event on error'} + return => {desc => '1 on success, Event on error or incorrect current password'} } ); @@ -1287,12 +1289,14 @@ sub update_passwd { or return $e->die_event; my $api = $self->api_name; + # make sure the original password matches the in-database password + if (md5_hex($orig_pw) ne $db_user->passwd) { + $e->rollback; + return new OpenILS::Event('INCORRECT_PASSWORD'); + } + if( $api =~ /password/o ) { - # make sure the original password matches the in-database password - if (md5_hex($orig_pw) ne $db_user->passwd) { - $e->rollback; - return new OpenILS::Event('INCORRECT_PASSWORD'); - } + $db_user->passwd($new_val); } else { diff --git a/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader/Account.pm b/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader/Account.pm index 83257e7e02..2e6f527a62 100644 --- a/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader/Account.pm +++ b/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader/Account.pm @@ -1138,6 +1138,7 @@ sub load_myopac_update_email { my $e = $self->editor; my $ctx = $self->ctx; my $email = $self->cgi->param('email') || ''; + my $current_pw = $self->cgi->param('current_pw') || ''; # needed for most up-to-date email address if (my $r = $self->prepare_extended_user_info) { return $r }; @@ -1153,7 +1154,12 @@ sub load_myopac_update_email { my $stat = $U->simplereq( 'open-ils.actor', 'open-ils.actor.user.email.update', - $e->authtoken, $email); + $e->authtoken, $email, $current_pw); + + if($U->event_equals($stat, 'INCORRECT_PASSWORD')) { + $ctx->{password_incorrect} = 1; + return Apache2::Const::OK; + } unless ($self->cgi->param("redirect_to")) { my $url = $self->apache->unparsed_uri; @@ -1170,6 +1176,7 @@ sub load_myopac_update_username { my $e = $self->editor; my $ctx = $self->ctx; my $username = $self->cgi->param('username') || ''; + my $current_pw = $self->cgi->param('current_pw') || ''; return Apache2::Const::OK unless $self->cgi->request_method eq 'POST'; @@ -1184,7 +1191,12 @@ sub load_myopac_update_username { my $evt = $U->simplereq( 'open-ils.actor', 'open-ils.actor.user.username.update', - $e->authtoken, $username); + $e->authtoken, $username, $current_pw); + + if($U->event_equals($evt, 'INCORRECT_PASSWORD')) { + $ctx->{password_incorrect} = 1; + return Apache2::Const::OK; + } if($U->event_equals($evt, 'USERNAME_EXISTS')) { $ctx->{username_exists} = $username; diff --git a/Open-ILS/src/templates/opac/myopac/update_email.tt2 b/Open-ILS/src/templates/opac/myopac/update_email.tt2 index b920e085a7..6b662bd67c 100644 --- a/Open-ILS/src/templates/opac/myopac/update_email.tt2 +++ b/Open-ILS/src/templates/opac/myopac/update_email.tt2 @@ -9,6 +9,12 @@ [% bad_email = ctx.invalid_email | html %] [% l('The email address "[_1]" is invalid. Please try a different email address.', bad_email) %] + +[% ELSIF ctx.password_incorrect %] +
+ [% |l %] Your current password was not correct. [% END %] +
+ [% END %]
@@ -17,6 +23,7 @@ [% END %] +
[% l('Current Email') %][% ctx.user.email | html %]
[% l('Current Password') %]
[% l('New Email') %]
diff --git a/Open-ILS/src/templates/opac/myopac/update_username.tt2 b/Open-ILS/src/templates/opac/myopac/update_username.tt2 index 6f48320104..70449ccedd 100644 --- a/Open-ILS/src/templates/opac/myopac/update_username.tt2 +++ b/Open-ILS/src/templates/opac/myopac/update_username.tt2 @@ -17,11 +17,18 @@ The username "[_1]" is taken. Please try a different username. [% END %] + +[% ELSIF ctx.password_incorrect %] +
+ [% |l %] Your current password was not correct. [% END %] +
+ [% END %] +
[% l('Current Username') %][% ctx.user.usrname | html %]
[% l('Current Password') %]
[% l('New Username') %]
diff --git a/Open-ILS/web/opac/skin/default/js/myopac.js b/Open-ILS/web/opac/skin/default/js/myopac.js index 8e5c079ac5..1f4108e810 100644 --- a/Open-ILS/web/opac/skin/default/js/myopac.js +++ b/Open-ILS/web/opac/skin/default/js/myopac.js @@ -1057,6 +1057,7 @@ function myopacSaveAddress(row, addr, deleteMe) { function myOPACUpdateUsername() { var username = $('myopac_new_username').value; + var curpassword = $('myopac_username_current_password').value; if(username == null || username == "") { alert($('myopac_username_error').innerHTML); return; @@ -1091,7 +1092,7 @@ function myOPACUpdateUsername() { return; } - var req = new Request(UPDATE_USERNAME, G.user.session, username ); + var req = new Request(UPDATE_USERNAME, G.user.session, username, curpassword ); req.send(true); if(req.result()) { @@ -1115,12 +1116,13 @@ function myOPACUpdateUsername() { function myOPACUpdateEmail() { var email = $('myopac_new_email').value; + var curpassword = $('myopac_email_current_password').value; if(email == null || email == "") { alert($('myopac_email_error').innerHTML); return; } - var req = new Request(UPDATE_EMAIL, G.user.session, email ); + var req = new Request(UPDATE_EMAIL, G.user.session, email, curpassword ); req.send(true); if(req.result()) { G.user.email(email); diff --git a/Open-ILS/web/opac/skin/default/xml/myopac/myopac_summary.xml b/Open-ILS/web/opac/skin/default/xml/myopac/myopac_summary.xml index 40eda7f2ab..821f870db7 100644 --- a/Open-ILS/web/opac/skin/default/xml/myopac/myopac_summary.xml +++ b/Open-ILS/web/opac/skin/default/xml/myopac/myopac_summary.xml @@ -61,15 +61,26 @@ &common.username; &myopac.summary.change; - &myopac.summary.username.enter; - + + + + + + + + + + +
&myopac.summary.password.current;
&myopac.summary.username.enter;
+ @@ -122,15 +133,26 @@ &myopac.summary.email; &myopac.summary.change; - &myopac.summary.email.new; - + + + + + + + + + + +
&myopac.summary.password.current;
&myopac.summary.email.new;
+ -- 2.43.2