From 6b69561a171568b36710e0e28aea9f0bd59a295c Mon Sep 17 00:00:00 2001
From: Sebastian Reichel <sre@ring0.de>
Date: Fri, 5 Oct 2012 20:52:04 +0200
Subject: add password change option (Closes GH-15)

---
 src/db.vala  | 21 +++++++++++++++++++++
 src/web.vala | 20 +++++++++++++++++---
 2 files changed, 38 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/db.vala b/src/db.vala
index d261eed..2ab5f7c 100644
--- a/src/db.vala
+++ b/src/db.vala
@@ -184,6 +184,7 @@ public class Database {
 		queries["session_get"]       = "SELECT user FROM authentication WHERE session = ?";
 		queries["username"]          = "SELECT firstname, lastname FROM users WHERE id = ?";
 		queries["password_get"]      = "SELECT password FROM authentication WHERE user = ?";
+		queries["password_set"]      = "UPDATE authentication SET password=? WHERE user = ?";
 		queries["userinfo"]          = "SELECT firstname, lastname, email, gender, street, plz, city FROM users WHERE id = ?";
 		queries["userauth"]          = "SELECT disabled, superuser FROM authentication WHERE user = ?";
 		queries["profit_by_product"] = "SELECT name, SUM(memberprice - (SELECT price FROM purchaseprices WHERE product = purch.product)) AS price FROM sells purch, prices, products WHERE purch.product = products.id AND purch.product = prices.product AND purch.user > 0 AND purch.timestamp > ? AND purch.timestamp < ? AND prices.valid_from = (SELECT valid_from FROM prices WHERE product = purch.product AND valid_from < purch.timestamp ORDER BY valid_from DESC LIMIT 1) GROUP BY name ORDER BY price;";
@@ -582,6 +583,26 @@ public class Database {
 		}
 	}
 
+	public void set_user_password(int32 user, string password) {
+		var pwhash = Checksum.compute_for_string(ChecksumType.SHA256, password);
+		int rc;
+
+		/* create user auth line if not existing */
+		statements["user_auth_create"].reset();
+		statements["user_auth_create"].bind_int(1, user);
+		rc = statements["user_auth_create"].step();
+		if(rc != Sqlite.DONE)
+			error("[internal error: %d]".printf(rc));
+
+		/* set password */
+		statements["password_set"].reset();
+		statements["password_set"].bind_text(1, pwhash);
+		statements["password_set"].bind_int(2, user);
+		rc = statements["password_set"].step();
+		if(rc != Sqlite.DONE)
+			error("[internal error: %d]".printf(rc));
+	}
+
 	public void set_sessionid(int user, string sessionid) {
 		statements["session_set"].reset();
 		statements["session_set"].bind_text(1, sessionid);
diff --git a/src/web.vala b/src/web.vala
index 8c87eed..2e2e13f 100644
--- a/src/web.vala
+++ b/src/web.vala
@@ -200,12 +200,12 @@ public class WebServer {
 
 	void handler_user_entry(Soup.Server server, Soup.Message msg, string path, GLib.HashTable? query, Soup.ClientContext client, int id) {
 		try {
-			var l = new WebSession(server, msg, path, query, client);
-			if(id != l.user && !l.superuser) {
+			var session = new WebSession(server, msg, path, query, client);
+			if(id != session.user && !session.superuser) {
 				handler_403(server, msg, path, query, client);
 				return;
 			}
-			var t = new WebTemplate("users/entry.html", l);
+			var t = new WebTemplate("users/entry.html", session);
 			t.replace("TITLE", "KtT Shop System: User Info %llu".printf(id));
 			t.menu_set_active("users");
 
@@ -224,6 +224,20 @@ public class WebServer {
 			t.replace("DISABLED", userauth.disabled ? "true" : "false");
 			t.replace("ISSUPERUSER", userauth.superuser ? "true" : "false");
 
+			var postdata = Soup.Form.decode_multipart(msg, null, null, null, null);
+			if(postdata != null && postdata.contains("password1") && postdata.contains("password2")) {
+				if(postdata["password1"] != postdata["password2"]) {
+					t.replace("MESSAGE", "<div class=\"alert alert-error\">Error! Passwords do not match!</div>");
+				} else if(postdata["password1"] == "") {
+					t.replace("MESSAGE", "<div class=\"alert alert-error\">Error! Empty Password not allowed!</div>");
+				} else {
+					db.set_user_password(session.user, postdata["password1"]);
+					t.replace("MESSAGE", "<div class=\"alert alert-success\">Password Changed!</div>");
+				}
+			} else {
+				t.replace("MESSAGE", "");
+			}
+
 			msg.set_response("text/html", Soup.MemoryUse.COPY, t.data);
 		} catch(TemplateError e) {
 			stderr.printf(e.message+"\n");
-- 
cgit v1.2.3