From ad4f4e405aed82cd0f87e51874043a2d054a1c01 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Thu, 8 Sep 2016 18:43:47 +0200
Subject: [session] Add simple "change password" GUI

---
 inc/user.inc.php                                   | 17 ++++++++
 modules-available/main/templates/main-menu.html    |  2 +
 modules-available/session/page.inc.php             | 51 ++++++++++++++++++----
 modules-available/session/style.css                | 43 ++++++++++++++++++
 .../session/templates/change-password.html         | 11 +++++
 .../session/templates/page-login.html              | 11 +++--
 style/default.css                                  | 51 ++++++----------------
 7 files changed, 134 insertions(+), 52 deletions(-)
 create mode 100644 modules-available/session/style.css
 create mode 100644 modules-available/session/templates/change-password.html

diff --git a/inc/user.inc.php b/inc/user.inc.php
index dc603dac..f7688b00 100644
--- a/inc/user.inc.php
+++ b/inc/user.inc.php
@@ -49,6 +49,23 @@ class User
 		return false;
 	}
 
+	public static function testPassword($userid, $password)
+	{
+		$ret = Database::queryFirst('SELECT passwd FROM user WHERE userid = :userid LIMIT 1', compact('userid'));
+		if ($ret === false)
+			return false;
+		return Crypto::verify($password, $ret['passwd']);
+	}
+
+	public static function updatePassword($password)
+	{
+		if (!self::isLoggedIn())
+			return;
+		$passwd = Crypto::hash6($password);
+		$userid = self::getId();
+		return Database::exec('UPDATE user SET passwd = :passwd WHERE userid = :userid LIMIT 1', compact('userid', 'passwd')) > 0;
+	}
+
 	public static function login($user, $pass)
 	{
 		$ret = Database::queryFirst('SELECT userid, passwd FROM user WHERE login = :user LIMIT 1', array(':user' => $user));
diff --git a/modules-available/main/templates/main-menu.html b/modules-available/main/templates/main-menu.html
index 8dc91f12..2ede4f87 100644
--- a/modules-available/main/templates/main-menu.html
+++ b/modules-available/main/templates/main-menu.html
@@ -60,6 +60,7 @@
 					<form id="logoutForm" method="post" action="?do=Session">
 						<input type="hidden" name="token" value="{{token}}">
 						<input type="hidden" name="action" value="logout">
+						<a href="?do=session" class="btn btn-default btn-xs">{{lang_changePassword}}</a>
 						<button class="btn btn-default btn-xs" type="submit">{{lang_logout}}</button>
 					</form>
 				</li>
@@ -79,6 +80,7 @@
 						<ul class="dropdown-menu">
 							<!--<li><a href="#">Settings</a></li> -->
 							<!--<li role="separator" class="divider"></li> -->
+							<li><a href="?do=session">{{lang_changePassword}}</a></li>
 							<li><a href="#" onclick="$('#logoutForm').submit();">{{lang_logout}}</a></li>
 						</ul>
 					{{/user}}
diff --git a/modules-available/session/page.inc.php b/modules-available/session/page.inc.php
index 853f20e4..0a6eac77 100644
--- a/modules-available/session/page.inc.php
+++ b/modules-available/session/page.inc.php
@@ -6,30 +6,63 @@ class Page_Session extends Page
 	protected function doPreprocess()
 	{
 		User::load();
-		if (Request::post('action') === 'login') {
+		$action = Request::post('action');
+		if ($action === 'login') {
 			// Login - see if already logged in
 			if (User::isLoggedIn()) // and then just redirect
-				Util::redirect('?do=Main');
+				Util::redirect('?do=main');
 			// Else, try to log in
 			if (User::login(Request::post('user'), Request::post('pass')))
-				Util::redirect('?do=Main');
+				Util::redirect('?do=main');
 			// Login credentials wrong - delay and show error message
 			sleep(1);
 			Message::addError('loginfail');
 		}
-		if (Request::post('action') === 'logout') {
+		if ($action === 'logout') {
 			// Log user out (or do nothing if not logged in)
 			User::logout();
-			Util::redirect('?do=Main');
+			Util::redirect('?do=main');
+		}
+		if ($action === 'changepw') {
+			if (!User::isLoggedIn()) {
+				Util::redirect('?do=main');
+			}
+			// Now check if the user supplied the corrent current password, and the new password twice
+			$old = Request::post('old', false, 'string');
+			$new = Request::post('newpass1', false, 'string');
+			if ($old === false || $new === false) {
+				Message::addError('main.empty-field');
+				Util::redirect('?do=session');
+			}
+			if (!User::testPassword(User::getId(), $old)) {
+				sleep(1);
+				Message::addError('wrong-password');
+				Util::redirect('?do=session');
+			}
+			if (strlen($new) < 4) {
+				Message::addError('pass-too-short');
+				Util::redirect('?do=session');
+			}
+			if ($new !== Request::post('newpass2', false, 'string')) {
+				Message::addError('adduser.password-mismatch');
+				Util::redirect('?do=session');
+			}
+			if (User::updatePassword($new)) {
+				Message::addSuccess('password-changed');
+			} else {
+				Message::addWarning('password-unchanged');
+			}
+			Util::redirect('?do=session');
 		}
-
-		if (User::isLoggedIn())
-			Util::redirect('?do=Main');
 	}
 
 	protected function doRender()
 	{
-		Render::addTemplate('page-login');
+		if (User::isLoggedIn()) {
+			Render::addTemplate('change-password');
+		} else {
+			Render::addTemplate('page-login');
+		}
 	}
 
 }
diff --git a/modules-available/session/style.css b/modules-available/session/style.css
new file mode 100644
index 00000000..f7800155
--- /dev/null
+++ b/modules-available/session/style.css
@@ -0,0 +1,43 @@
+.form-signin {
+    max-width: 330px;
+    padding: 15px;
+    margin: 0 auto;
+}
+
+.form-signin .form-signin-heading,
+.form-signin .checkbox {
+    margin-bottom: 10px;
+}
+
+.form-signin .checkbox {
+    font-weight: normal;
+}
+
+.form-signin .form-control {
+    position: relative;
+    font-size: 16px;
+    height: auto;
+    padding: 10px;
+    -webkit-box-sizing: border-box;
+    -moz-box-sizing: border-box;
+    box-sizing: border-box;
+}
+
+.form-signin input[type="text"],
+.form-signin input[type="password"] {
+    border-radius: 0;
+    margin-bottom: -1px;
+}
+
+.form-signin input[type="text"]:first-child,
+.form-signin input[type="password"]:first-child {
+    border-top-left-radius: 4px;
+    border-top-right-radius: 4px;
+}
+
+.form-signin input[type="text"]:last-child,
+.form-signin input[type="password"]:last-child {
+    margin-bottom: 10px;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+}
\ No newline at end of file
diff --git a/modules-available/session/templates/change-password.html b/modules-available/session/templates/change-password.html
new file mode 100644
index 00000000..70ab7b92
--- /dev/null
+++ b/modules-available/session/templates/change-password.html
@@ -0,0 +1,11 @@
+<form class="form-signin" action="?do=Session" method="post">
+	<h2 class="form-signin-heading">{{lang_changePassword}}</h2>
+	<div>
+		<input type="password" name="old" class="form-control" placeholder="{{lang_currentPassword}}" autofocus>
+		<input type="password" name="newpass1" class="form-control" placeholder="{{lang_newPassword}}">
+		<input type="password" name="newpass2" class="form-control" placeholder="{{lang_repeatPassword}}">
+	</div>
+	<button class="btn btn-lg btn-primary btn-block" type="submit">{{lang_changePassword}}</button>
+	<input type="hidden" name="action" value="changepw">
+	<input type="hidden" name="token" value="{{token}}">
+</form>
\ No newline at end of file
diff --git a/modules-available/session/templates/page-login.html b/modules-available/session/templates/page-login.html
index 247e9a55..4be7232a 100644
--- a/modules-available/session/templates/page-login.html
+++ b/modules-available/session/templates/page-login.html
@@ -1,11 +1,10 @@
 <form class="form-signin" action="?do=Session" method="post">
 	<h2 class="form-signin-heading">{{lang_enter}}</h2>
-	<input type="text" name="user" class="form-control" placeholder="{{lang_username}}" autofocus>
-	<input type="password" name="pass" class="form-control" placeholder="{{lang_password}}">
-	<!--label class="checkbox">
-		<input type="checkbox" name="remember" value="remember-me"> {{lang_rememberID}}
-	</label-->
+	<div>
+		<input type="text" name="user" class="form-control" placeholder="{{lang_username}}" autofocus>
+		<input type="password" name="pass" class="form-control" placeholder="{{lang_password}}">
+	</div>
 	<button class="btn btn-lg btn-primary btn-block" type="submit">{{lang_login}}</button>
-	<a class="btn btn-lg btn-primary btn-block" href="?do=AddUser">{{lang_register}}</a>
+	<a class="btn btn-lg btn-default btn-block" href="?do=AddUser">{{lang_register}}</a>
 	<input type="hidden" name="action" value="login">
 </form>
\ No newline at end of file
diff --git a/style/default.css b/style/default.css
index 470af96e..40e40b5f 100644
--- a/style/default.css
+++ b/style/default.css
@@ -1,6 +1,6 @@
 html {
     overflow-y: scroll; 
-	 height: 100%;
+    height: 100%;
 }
 
 body {
@@ -11,48 +11,25 @@ body {
   background-image: url('bg.png');
 }
 
-.form-signin {
-  max-width: 330px;
-  padding: 15px;
-  margin: 0 auto;
-}
 .form-adduser {
-  max-width: 600px;
-  padding: 10px;
-  margin: 0 auto;
+	max-width: 600px;
+	padding: 10px;
+	margin: 0 auto;
+}
+.form-adduser .form-control {
+	position: relative;
+	font-size: 16px;
+	height: auto;
+	padding: 10px;
+	-webkit-box-sizing: border-box;
+	-moz-box-sizing: border-box;
+	box-sizing: border-box;
 }
 .form-narrow {
 	max-width: 320px;
 }
-.form-signin .form-signin-heading,
-.form-signin .checkbox {
-  margin-bottom: 10px;
-}
-.form-signin .checkbox {
-  font-weight: normal;
-}
-.form-signin .form-control,
-.form-adduser .form-control {
-  position: relative;
-  font-size: 16px;
-  height: auto;
-  padding: 10px;
-  -webkit-box-sizing: border-box;
-     -moz-box-sizing: border-box;
-          box-sizing: border-box;
-}
 .form-control:focus {
-  z-index: 2;
-}
-.form-signin input[type="text"] {
-  margin-bottom: -1px;
-  border-bottom-left-radius: 0;
-  border-bottom-right-radius: 0;
-}
-.form-signin input[type="password"] {
-  margin-bottom: 10px;
-  border-top-left-radius: 0;
-  border-top-right-radius: 0;
+	z-index: 2;
 }
 
 .slx-default, .slx-notebox {
-- 
cgit v1.2.3-55-g7522