rejetto forum

Software => HFS ~ HTTP File Server => Programmers corner => Topic started by: Mars on February 03, 2010, 12:00:20 AM

Title: account password
Post by: Mars on February 03, 2010, 12:00:20 AM

more security to allow a user to change his password

Quote

 procedure setAccount();
  var
    a: Paccount;
    s: string;
  begin
  result:='';
  if p > '' then
    a:=getAccount(p, TRUE)
  else
    a:=md.cd.account;
  if a = NIL then exit;
  spaceIf(TRUE);

    try                 //mod by mars
    s:='';
    if a.pwd<>'' then s:=parEx('oldpass');
    if (a.pwd=s) and validUsername(s, TRUE) then
      try
      s:=parEx('password');
      if validUsername(s, TRUE) then
        a.pwd:=s;
      except end;
  except end;

usage:  {.set account|%user%|password=NEWPASSWORD|oldpass=OLDPASSORD.}

Quote

 procedure getterAccount();
  var
    a: Paccount;
    s: string;
  begin
  result:='';
  if p > '' then
    a:=getAccount(p, TRUE)
  else
    a:=md.cd.account;
  if a = NIL then exit;
  s:=lowercase(par(1));
  if s = 'redirect' then result:=a.redir
  else if s = 'has password' then trueIf((a.pwd=par(2)) or (a.pwd=pars[2]))  //add by mars
  else if s = 'no limits' then trueIf(a.nolimits)
  else if s = 'enabled' then trueIf(a.enabled)
  else if s = 'is group' then trueIf(a.group)
  else if s = 'member of' then result:=join(';',a.link)
  else if s = 'notes' then result:=a.notes;
  try result:=getKeyFromString(a.notes, parEx('notes key')) except end;
  end; // getterAccount

usage: {.get account|%user%|has password|PASSWORD.}


Example of application :

<form method=post action="/~selfpasschange>
<table>
  <tr><td align=left>{.!Username.}<td><INPUT READONLY NAME="name" value="%user%">
  <tr><td align=left>{.!Current Password.}<td><input type="password" name="oldpass">
  <tr><td align=left>{.!New Password.}<td><input type="password" name="newpass">
  <tr><td align=left>{.!Confirm Password.}<td><input type="password" name="confirmpass">
  <tr><td align=left><td align=center><input type=submit value="{.!Change.}">
  </tr></table

[selfpasschange]
{.if|{.and|%user%|{.{.postvar|newpass.}={.postvar|confirmpass.}.}/and.}|
  {:{.set account|%user%|oldpass={.postvar|oldpass.}|password={.postvar|newpass.}.}:}
/if.}
{.if|{.get account|%user%|has password|{.postvar|newpass.}.}
  |{:<b>{.!The new password is.} : <INPUT READONLY NAME="name" value="{.postvar|newpass.}"></b>:}
  |<b><font color=firebrick>{.!Error during change password !.}</b>
/if.}

Title: Re: account password
Post by: rejetto on February 09, 2010, 05:27:23 PM

as stated elsewhere, scripts must be trusted.
there's no reason to limit password access and change at this level.
it's up to the script to ask for confirmation.

so, i have to add a parameter to retrieve the password. in #254.

Title: Re: account password
Post by: Mars on February 18, 2010, 07:59:48 PM

Quote

so, i have to add a parameter to retrieve the password. in #254

That can become a problem of compatibility, if one day you decided to code the passwords with md5

if s = '.... password' then trueIf((a.pwd=par(2)) or (a.pwd=pars[2]))  

is in my opinion a wiser solution

 ???

Title: Re: account password
Post by: rejetto on February 18, 2010, 11:51:29 PM

your point is clever.
i will think on it.

Title: Re: account password
Post by: rejetto on February 20, 2010, 08:00:43 PM

ok, i changed "has password" in "password is".
i think it's a better

if {get account|foo|password is|bar}