rejetto forum
Software => HFS ~ HTTP File Server => Programmers corner => Topic started by: Mars on February 03, 2010, 12:00:20 AM
-
more security to allow a user to change his password
procedure setAccount();
var
a: Paccount;
s: string;
begin
result:='';
if p > '' then
a:=getAccount(p, TRUE)
else
a:=md.cd.account;
if a = NIL then exit;
spaceIf(TRUE);
try //mod by mars
s:='';
if a.pwd<>'' then s:=parEx('oldpass');
if (a.pwd=s) and validUsername(s, TRUE) then
try
s:=parEx('password');
if validUsername(s, TRUE) then
a.pwd:=s;
except end;
except end;
usage: {.set account|%user%|password=NEWPASSWORD|oldpass=OLDPASSORD.}
procedure getterAccount();
var
a: Paccount;
s: string;
begin
result:='';
if p > '' then
a:=getAccount(p, TRUE)
else
a:=md.cd.account;
if a = NIL then exit;
s:=lowercase(par(1));
if s = 'redirect' then result:=a.redir
else if s = 'has password' then trueIf((a.pwd=par(2)) or (a.pwd=pars[2])) //add by mars
else if s = 'no limits' then trueIf(a.nolimits)
else if s = 'enabled' then trueIf(a.enabled)
else if s = 'is group' then trueIf(a.group)
else if s = 'member of' then result:=join(';',a.link)
else if s = 'notes' then result:=a.notes;
try result:=getKeyFromString(a.notes, parEx('notes key')) except end;
end; // getterAccount
usage: {.get account|%user%|has password|PASSWORD.}
Example of application :
<form method=post action="/~selfpasschange>
<table>
<tr><td align=left>{.!Username.}<td><INPUT READONLY NAME="name" value="%user%">
<tr><td align=left>{.!Current Password.}<td><input type="password" name="oldpass">
<tr><td align=left>{.!New Password.}<td><input type="password" name="newpass">
<tr><td align=left>{.!Confirm Password.}<td><input type="password" name="confirmpass">
<tr><td align=left><td align=center><input type=submit value="{.!Change.}">
</tr></table
[selfpasschange]
{.if|{.and|%user%|{.{.postvar|newpass.}={.postvar|confirmpass.}.}/and.}|
{:{.set account|%user%|oldpass={.postvar|oldpass.}|password={.postvar|newpass.}.}:}
/if.}
{.if|{.get account|%user%|has password|{.postvar|newpass.}.}
|{:<b>{.!The new password is.} : <INPUT READONLY NAME="name" value="{.postvar|newpass.}"></b>:}
|<b><font color=firebrick>{.!Error during change password !.}</b>
/if.}
-
as stated elsewhere, scripts must be trusted.
there's no reason to limit password access and change at this level.
it's up to the script to ask for confirmation.
so, i have to add a parameter to retrieve the password. in #254.
-
so, i have to add a parameter to retrieve the password. in #254
That can become a problem of compatibility, if one day you decided to code the passwords with md5
if s = '.... password' then trueIf((a.pwd=par(2)) or (a.pwd=pars[2]))
is in my opinion a wiser solution
???
-
your point is clever.
i will think on it.
-
ok, i changed "has password" in "password is".
i think it's a better
if {get account|foo|password is|bar}