rejetto forum

account password

Mars · 5 · 3913
« previous next »
Pages: 1

0 Members and 1 Guest are viewing this topic.

Offline Mars

  • Operator
  • Tireless poster
  • *****
    • Posts: 2059
    • View Profile
on: February 03, 2010, 12:00:20 AM
more security to allow a user to change his password

Quote
 procedure setAccount();
  var
    a: Paccount;
    s: string;
  begin
  result:='';
  if p > '' then
    a:=getAccount(p, TRUE)
  else
    a:=md.cd.account;
  if a = NIL then exit;
  spaceIf(TRUE);

    try                 //mod by mars
    s:='';
    if a.pwd<>'' then s:=parEx('oldpass');
    if (a.pwd=s) and validUsername(s, TRUE) then
      try
      s:=parEx('password');
      if validUsername(s, TRUE) then
        a.pwd:=s;
      except end;
  except end;

usage:  {.set account|%user%|password=NEWPASSWORD|oldpass=OLDPASSORD.}


Quote
 procedure getterAccount();
  var
    a: Paccount;
    s: string;
  begin
  result:='';
  if p > '' then
    a:=getAccount(p, TRUE)
  else
    a:=md.cd.account;
  if a = NIL then exit;
  s:=lowercase(par(1));
  if s = 'redirect' then result:=a.redir
  else if s = 'has password' then trueIf((a.pwd=par(2)) or (a.pwd=pars[2]))  //add by mars
  else if s = 'no limits' then trueIf(a.nolimits)
  else if s = 'enabled' then trueIf(a.enabled)
  else if s = 'is group' then trueIf(a.group)
  else if s = 'member of' then result:=join(';',a.link)
  else if s = 'notes' then result:=a.notes;
  try result:=getKeyFromString(a.notes, parEx('notes key')) except end;
  end; // getterAccount

usage: {.get account|%user%|has password|PASSWORD.}


Example of application :

<form method=post action="/~selfpasschange>
<table>
  <tr><td align=left>{.!Username.}<td><INPUT READONLY NAME="name" value="%user%">
  <tr><td align=left>{.!Current Password.}<td><input type="password" name="oldpass">
  <tr><td align=left>{.!New Password.}<td><input type="password" name="newpass">
  <tr><td align=left>{.!Confirm Password.}<td><input type="password" name="confirmpass">
  <tr><td align=left><td align=center><input type=submit value="{.!Change.}">
  </tr></table

[selfpasschange]
{.if|{.and|%user%|{.{.postvar|newpass.}={.postvar|confirmpass.}.}/and.}|
  {:{.set account|%user%|oldpass={.postvar|oldpass.}|password={.postvar|newpass.}.}:}
/if.}
{.if|{.get account|%user%|has password|{.postvar|newpass.}.}
  |{:<b>{.!The new password is.} : <INPUT READONLY NAME="name" value="{.postvar|newpass.}"></b>:}
  |<b><font color=firebrick>{.!Error during change password !.}</b>
/if.}
« Last Edit: February 03, 2010, 08:07:42 AM by Mars »

Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13510
    • View Profile
Reply #1 on: February 09, 2010, 05:27:23 PM
as stated elsewhere, scripts must be trusted.
there's no reason to limit password access and change at this level.
it's up to the script to ask for confirmation.

so, i have to add a parameter to retrieve the password. in #254.

Offline Mars

  • Operator
  • Tireless poster
  • *****
    • Posts: 2059
    • View Profile
Reply #2 on: February 18, 2010, 07:59:48 PM
Quote
so, i have to add a parameter to retrieve the password. in #254

That can become a problem of compatibility, if one day you decided to code the passwords with md5

if s = '.... password' then trueIf((a.pwd=par(2)) or (a.pwd=pars[2]))

is in my opinion a wiser solution

 ???

Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13510
    • View Profile
Reply #3 on: February 18, 2010, 11:51:29 PM
your point is clever.
i will think on it.

Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13510
    • View Profile
Reply #4 on: February 20, 2010, 08:00:43 PM
ok, i changed "has password" in "password is".
i think it's a better

if {get account|foo|password is|bar}

Pages: 1