rejetto forum

account password

Mars · 5 · 1609

0 Members and 1 Guest are viewing this topic.

Offline Mars

  • Operator
  • Tireless poster
  • *****
    • Posts: 2039
    • View Profile
more security to allow a user to change his password

Quote
 procedure setAccount();
  var
    a: Paccount;
    s: string;
  begin
  result:='';
  if p > '' then
    a:=getAccount(p, TRUE)
  else
    a:=md.cd.account;
  if a = NIL then exit;
  spaceIf(TRUE);

    try                 //mod by mars
    s:='';
    if a.pwd<>'' then s:=parEx('oldpass');
    if (a.pwd=s) and validUsername(s, TRUE) then

      try
      s:=parEx('password');
      if validUsername(s, TRUE) then
        a.pwd:=s;
      except end;
  except end;

usage:  {.set account|%user%|password=NEWPASSWORD|oldpass=OLDPASSORD.}


Quote
 procedure getterAccount();
  var
    a: Paccount;
    s: string;
  begin
  result:='';
  if p > '' then
    a:=getAccount(p, TRUE)
  else
    a:=md.cd.account;
  if a = NIL then exit;
  s:=lowercase(par(1));
  if s = 'redirect' then result:=a.redir
  else if s = 'has password' then trueIf((a.pwd=par(2)) or (a.pwd=pars[2]))  //add by mars
  else if s = 'no limits' then trueIf(a.nolimits)
  else if s = 'enabled' then trueIf(a.enabled)
  else if s = 'is group' then trueIf(a.group)
  else if s = 'member of' then result:=join(';',a.link)
  else if s = 'notes' then result:=a.notes;
  try result:=getKeyFromString(a.notes, parEx('notes key')) except end;
  end; // getterAccount

usage: {.get account|%user%|has password|PASSWORD.}


Example of application :

<form method=post action="/~selfpasschange>
<table>
  <tr><td align=left>{.!Username.}<td><INPUT READONLY NAME="name" value="%user%">
  <tr><td align=left>{.!Current Password.}<td><input type="password" name="oldpass">
  <tr><td align=left>{.!New Password.}<td><input type="password" name="newpass">
  <tr><td align=left>{.!Confirm Password.}<td><input type="password" name="confirmpass">
  <tr><td align=left><td align=center><input type=submit value="{.!Change.}">
  </tr></table

[selfpasschange]
{.if|{.and|%user%|{.{.postvar|newpass.}={.postvar|confirmpass.}.}/and.}|
  {:{.set account|%user%|oldpass={.postvar|oldpass.}|password={.postvar|newpass.}.}:}
/if.}
{.if|{.get account|%user%|has password|{.postvar|newpass.}.}
  |{:<b>{.!The new password is.} : <INPUT READONLY NAME="name" value="{.postvar|newpass.}"></b>:}
  |<b><font color=firebrick>{.!Error during change password !.}</b>
/if.}
« Last Edit: February 03, 2010, 08:07:42 AM by Mars »


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13308
    • View Profile
as stated elsewhere, scripts must be trusted.
there's no reason to limit password access and change at this level.
it's up to the script to ask for confirmation.

so, i have to add a parameter to retrieve the password. in #254.


Offline Mars

  • Operator
  • Tireless poster
  • *****
    • Posts: 2039
    • View Profile
Quote
so, i have to add a parameter to retrieve the password. in #254

That can become a problem of compatibility, if one day you decided to code the passwords with md5

if s = '.... password' then trueIf((a.pwd=par(2)) or (a.pwd=pars[2]))

is in my opinion a wiser solution

 ???


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13308
    • View Profile

Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13308
    • View Profile
ok, i changed "has password" in "password is".
i think it's a better

if {get account|foo|password is|bar}