summaryrefslogtreecommitdiff
path: root/lib/VNDB
diff options
context:
space:
mode:
Diffstat (limited to 'lib/VNDB')
-rw-r--r--lib/VNDB/Handler/Users.pm10
-rw-r--r--lib/VNDB/Util/Auth.pm35
2 files changed, 31 insertions, 14 deletions
diff --git a/lib/VNDB/Handler/Users.pm b/lib/VNDB/Handler/Users.pm
index 6b30db7b..0228b003 100644
--- a/lib/VNDB/Handler/Users.pm
+++ b/lib/VNDB/Handler/Users.pm
@@ -166,6 +166,7 @@ sub login {
);
if(!$frm->{_err}) {
+ $frm->{usrname} = lc $frm->{usrname};
return if $self->authLogin($frm->{usrname}, $frm->{usrpass}, $ref);
$frm->{_err} = [ 'login_failed' ];
$self->dbThrottleSet(norm_ip($self->reqIP), $tm+$self->{login_throttle}[0]);
@@ -269,7 +270,7 @@ sub setpass {
my %o = (email_confirmed => 1);
$o{passwd} = $self->authPreparePass($frm->{usrpass});
$self->dbUserEdit($uid, %o);
- return $self->authLogin($u->{username}, $frm->{usrpass}, "/u$uid");
+ return $self->authCreateSession($u->{username}, "/u$uid");
}
}
@@ -369,6 +370,7 @@ sub edit {
{ post => 'ign_votes', required => 0, default => 0 },
) : (),
{ post => 'mail', template => 'email' },
+ { post => 'curpass', required => 0, minlength => 4, maxlength => 64, template => 'ascii', default => '' },
{ post => 'usrpass', required => 0, minlength => 4, maxlength => 64, template => 'ascii' },
{ post => 'usrpass2', required => 0, minlength => 4, maxlength => 64, template => 'ascii' },
{ post => 'hide_list', required => 0, default => 0, enum => [0,1] },
@@ -382,6 +384,10 @@ sub edit {
);
push @{$frm->{_err}}, 'passmatch'
if ($frm->{usrpass} || $frm->{usrpass2}) && (!$frm->{usrpass} || !$frm->{usrpass2} || $frm->{usrpass} ne $frm->{usrpass2});
+ push @{$frm->{_err}}, 'invalidpass'
+ if !($self->authInfo->{id} != $u->{id} && $self->authCan('usermod'))
+ && ($frm->{usrpass} || $frm->{usrpass2}) && !$self->authCheck($u->{username}, $frm->{curpass});
+
if(!$frm->{_err}) {
$frm->{skin} = '' if $frm->{skin} eq $self->{skin_default};
$self->dbUserPrefSet($uid, $_ => $frm->{$_}) for (qw|skin customcss show_nsfw traits_sexual tags_all hide_list spoilers|);
@@ -410,6 +416,7 @@ sub edit {
$frm->{tags_cat} ||= [ split /,/, $u->{prefs}{tags_cat}||$self->{default_tags_cat} ];
$frm->{ign_votes} = $u->{ign_votes} if !defined $frm->{ign_votes};
$frm->{skin} ||= $self->{skin_default};
+ $frm->{usrpass} = $frm->{usrpass2} = $frm->{curpass} = '';
# create the page
$self->htmlHeader(title => mt('_usere_title'), noindex => 1);
@@ -436,6 +443,7 @@ sub edit {
[ part => title => mt '_usere_changepass' ],
[ static => content => mt '_usere_changepass_msg' ],
+ [ passwd => short => 'curpass', name => mt '_usere_curpass' ],
[ passwd => short => 'usrpass', name => mt '_usere_password' ],
[ passwd => short => 'usrpass2', name => mt '_usere_confirm' ],
diff --git a/lib/VNDB/Util/Auth.pm b/lib/VNDB/Util/Auth.pm
index 0c3b5b73..9c742dc7 100644
--- a/lib/VNDB/Util/Auth.pm
+++ b/lib/VNDB/Util/Auth.pm
@@ -14,7 +14,7 @@ use VNDB::Func;
our @EXPORT = qw|
- authInit authLogin authLogout authInfo authCan authPreparePass
+ authInit authLogin authLogout authInfo authCan authPreparePass authCreateSession authCheck
authPrepareReset authValidateReset authGetCode authCheckCode authPref
|;
@@ -50,18 +50,10 @@ sub authInit {
# login, arguments: user, password, url-to-redirect-to-on-success
# returns 1 on success (redirected), 0 otherwise (no reply sent)
sub authLogin {
- my $self = shift;
- my $user = lc(scalar shift);
- my $pass = shift;
- my $to = shift;
-
- if(_authCheck($self, $user, $pass)) {
- my $token = urandom(20);
- my $cookie = unpack('H*', $token).'.'.$self->{_auth}{id};
- $self->dbSessionAdd($self->{_auth}{id}, sha1 $token);
+ my($self, $user, $pass, $to) = @_;
- $self->resRedirect($to, 'post');
- $self->resCookie(auth => $cookie, httponly => 1, expires => time + 31536000); # keep the cookie for 1 year
+ if($self->authCheck($user, $pass)) {
+ $self->authCreateSession($user, $to);
return 1;
}
@@ -69,6 +61,23 @@ sub authLogin {
}
+# Args: user, url-to-redirect-to-on-success
+# Should only be called if the user is already authenticated (i.e. after authCheck or when the user just confirmed his email address).
+sub authCreateSession {
+ my($self, $user, $to) = @_;
+
+ $self->{_auth} = $self->dbUserGet(username => $user, what => 'extended notifycount')->[0] if $user;
+ die "No valid user!" if !$self->{_auth}{id};
+
+ my $token = urandom(20);
+ my $cookie = unpack('H*', $token).'.'.$self->{_auth}{id};
+ $self->dbSessionAdd($self->{_auth}{id}, sha1 $token);
+
+ $self->resRedirect($to, 'post');
+ $self->resCookie(auth => $cookie, httponly => 1, expires => time + 31536000); # keep the cookie for 1 year
+}
+
+
# clears authentication cookie and redirects to /
sub authLogout {
my $self = shift;
@@ -104,7 +113,7 @@ sub authCan {
# Checks for a valid login and writes information in _auth
# Arguments: user, pass
# Returns: 1 if login is valid, 0 otherwise
-sub _authCheck {
+sub authCheck {
my($self, $user, $pass) = @_;
return 0 if !$user || length($user) > 15 || length($user) < 2 || !$pass;