diff options
author | Yorhel <git@yorhel.nl> | 2016-01-10 11:05:59 +0100 |
---|---|---|
committer | Yorhel <git@yorhel.nl> | 2016-01-10 11:18:39 +0100 |
commit | 8994032a68da279acdcc22963d7d6eda2d0e59f8 (patch) | |
tree | 95d94a0ad55ed66f889f13c72f583b19b3c5419f | |
parent | 48bbb8d0c3b121568c580dfd7c78f9dd0528cd8a (diff) |
Require current password on /u+/edit + only hash password once on /u+/setpass
-rw-r--r-- | data/lang.txt | 44 | ||||
-rw-r--r-- | lib/VNDB/Handler/Users.pm | 10 | ||||
-rw-r--r-- | lib/VNDB/Util/Auth.pm | 35 |
3 files changed, 65 insertions, 24 deletions
diff --git a/data/lang.txt b/data/lang.txt index b33861e4..fd668b8e 100644 --- a/data/lang.txt +++ b/data/lang.txt @@ -12669,17 +12669,29 @@ tr : Şimdiki şifrenizi korumak için boş bırakın uk : Залиш порожнім, якщо не хочеш міняти пароль it : Lascia vuoto se vuoi mantere la tua password attuale +:_usere_curpass +en : Current Password +ru*: +cs*: +hu*: +nl*: +de*: +es*: +tr*: +uk*: +it*: + :_usere_password -en : Password -ru : Пароль -cs : Heslo -hu : Jelszó -nl : Wachtwoord -de : Passwort -es : Contraseña -tr : Şifre -uk : Пароль -it : +en : New Password +ru*: +cs*: +hu*: +nl*: +de*: +es*: +tr*: +uk*: +it*: :_usere_confirm en : Confirm password @@ -16274,6 +16286,18 @@ tr : Şifreler eşleşmiyor uk : Пароль не підходить it : Le password non combaciano +:_formerr_e_invalidpass +en : Invalid password +ru*: +cs*: +hu*: +nl*: +de*: +es*: +tr*: +uk*: +it*: + :_formerr_e_usrexists en : Someone already has this username, please choose something else ru : Кто-то уже зарегистрировал такой ник, пожалуйста, выберите другой diff --git a/lib/VNDB/Handler/Users.pm b/lib/VNDB/Handler/Users.pm index 6b30db7b..0228b003 100644 --- a/lib/VNDB/Handler/Users.pm +++ b/lib/VNDB/Handler/Users.pm @@ -166,6 +166,7 @@ sub login { ); if(!$frm->{_err}) { + $frm->{usrname} = lc $frm->{usrname}; return if $self->authLogin($frm->{usrname}, $frm->{usrpass}, $ref); $frm->{_err} = [ 'login_failed' ]; $self->dbThrottleSet(norm_ip($self->reqIP), $tm+$self->{login_throttle}[0]); @@ -269,7 +270,7 @@ sub setpass { my %o = (email_confirmed => 1); $o{passwd} = $self->authPreparePass($frm->{usrpass}); $self->dbUserEdit($uid, %o); - return $self->authLogin($u->{username}, $frm->{usrpass}, "/u$uid"); + return $self->authCreateSession($u->{username}, "/u$uid"); } } @@ -369,6 +370,7 @@ sub edit { { post => 'ign_votes', required => 0, default => 0 }, ) : (), { post => 'mail', template => 'email' }, + { post => 'curpass', required => 0, minlength => 4, maxlength => 64, template => 'ascii', default => '' }, { post => 'usrpass', required => 0, minlength => 4, maxlength => 64, template => 'ascii' }, { post => 'usrpass2', required => 0, minlength => 4, maxlength => 64, template => 'ascii' }, { post => 'hide_list', required => 0, default => 0, enum => [0,1] }, @@ -382,6 +384,10 @@ sub edit { ); push @{$frm->{_err}}, 'passmatch' if ($frm->{usrpass} || $frm->{usrpass2}) && (!$frm->{usrpass} || !$frm->{usrpass2} || $frm->{usrpass} ne $frm->{usrpass2}); + push @{$frm->{_err}}, 'invalidpass' + if !($self->authInfo->{id} != $u->{id} && $self->authCan('usermod')) + && ($frm->{usrpass} || $frm->{usrpass2}) && !$self->authCheck($u->{username}, $frm->{curpass}); + if(!$frm->{_err}) { $frm->{skin} = '' if $frm->{skin} eq $self->{skin_default}; $self->dbUserPrefSet($uid, $_ => $frm->{$_}) for (qw|skin customcss show_nsfw traits_sexual tags_all hide_list spoilers|); @@ -410,6 +416,7 @@ sub edit { $frm->{tags_cat} ||= [ split /,/, $u->{prefs}{tags_cat}||$self->{default_tags_cat} ]; $frm->{ign_votes} = $u->{ign_votes} if !defined $frm->{ign_votes}; $frm->{skin} ||= $self->{skin_default}; + $frm->{usrpass} = $frm->{usrpass2} = $frm->{curpass} = ''; # create the page $self->htmlHeader(title => mt('_usere_title'), noindex => 1); @@ -436,6 +443,7 @@ sub edit { [ part => title => mt '_usere_changepass' ], [ static => content => mt '_usere_changepass_msg' ], + [ passwd => short => 'curpass', name => mt '_usere_curpass' ], [ passwd => short => 'usrpass', name => mt '_usere_password' ], [ passwd => short => 'usrpass2', name => mt '_usere_confirm' ], diff --git a/lib/VNDB/Util/Auth.pm b/lib/VNDB/Util/Auth.pm index 0c3b5b73..9c742dc7 100644 --- a/lib/VNDB/Util/Auth.pm +++ b/lib/VNDB/Util/Auth.pm @@ -14,7 +14,7 @@ use VNDB::Func; our @EXPORT = qw| - authInit authLogin authLogout authInfo authCan authPreparePass + authInit authLogin authLogout authInfo authCan authPreparePass authCreateSession authCheck authPrepareReset authValidateReset authGetCode authCheckCode authPref |; @@ -50,18 +50,10 @@ sub authInit { # login, arguments: user, password, url-to-redirect-to-on-success # returns 1 on success (redirected), 0 otherwise (no reply sent) sub authLogin { - my $self = shift; - my $user = lc(scalar shift); - my $pass = shift; - my $to = shift; - - if(_authCheck($self, $user, $pass)) { - my $token = urandom(20); - my $cookie = unpack('H*', $token).'.'.$self->{_auth}{id}; - $self->dbSessionAdd($self->{_auth}{id}, sha1 $token); + my($self, $user, $pass, $to) = @_; - $self->resRedirect($to, 'post'); - $self->resCookie(auth => $cookie, httponly => 1, expires => time + 31536000); # keep the cookie for 1 year + if($self->authCheck($user, $pass)) { + $self->authCreateSession($user, $to); return 1; } @@ -69,6 +61,23 @@ sub authLogin { } +# Args: user, url-to-redirect-to-on-success +# Should only be called if the user is already authenticated (i.e. after authCheck or when the user just confirmed his email address). +sub authCreateSession { + my($self, $user, $to) = @_; + + $self->{_auth} = $self->dbUserGet(username => $user, what => 'extended notifycount')->[0] if $user; + die "No valid user!" if !$self->{_auth}{id}; + + my $token = urandom(20); + my $cookie = unpack('H*', $token).'.'.$self->{_auth}{id}; + $self->dbSessionAdd($self->{_auth}{id}, sha1 $token); + + $self->resRedirect($to, 'post'); + $self->resCookie(auth => $cookie, httponly => 1, expires => time + 31536000); # keep the cookie for 1 year +} + + # clears authentication cookie and redirects to / sub authLogout { my $self = shift; @@ -104,7 +113,7 @@ sub authCan { # Checks for a valid login and writes information in _auth # Arguments: user, pass # Returns: 1 if login is valid, 0 otherwise -sub _authCheck { +sub authCheck { my($self, $user, $pass) = @_; return 0 if !$user || length($user) > 15 || length($user) < 2 || !$pass; |