sub change_password {
my($self, $access_user, $new_password) = @_;
+ # do nothing if the password is unchanged
+ return if $self->authenticate( $access_user, $new_password );
+
$self->change_password_fields( $access_user, $new_password );
$access_user->replace;
)
) {
#svc_acct was successful but this one returns an error? "shouldn't happen"
+ #don't recheck is_password_allowed here; if the svc_acct password was
+ #legal, that's good enough
$error ||= $contact->change_password($p->{'new_password'});
}
if ( $contact ) {
- my $error = $contact->change_password($p->{'new_password'});
+ my $error = $contact->is_password_allowed($p->{'new_password'})
+ || $contact->change_password($p->{'new_password'});
return { %$info, 'error' => $error }; # if $error;
$error = 'Password too long.'
if length($p->{'new_password'}) > ($conf->config('passwordmax') || 8);
+ $error ||= $contact->is_password_allowed($p->{'new_password'});
+
$error ||= $contact->change_password($p->{'new_password'});
return { 'error' => $error };
my $password = $self->_password;
my $auth;
- if ( $encoding eq 'bcrypt' or $encoding eq 'crypt' ) {
+ if ( $encoding eq 'bcrypt' ) {
+ # our format, used for contact and access_user passwords
+ my ($cost, $salt, $hash) = split(',', $password);
+ $auth = Authen::Passphrase::BlowfishCrypt->new(
+ cost => $cost,
+ salt_base64 => $salt,
+ hash_base64 => $hash,
+ );
+
+ } elsif ( $encoding eq 'crypt' ) {
# it's smart enough to figure this out
$auth = Authen::Passphrase->from_crypt($password);
package FS::access_user;
-use base qw( FS::m2m_Common FS::option_Common );
+use base qw( FS::Password_Mixin
+ FS::m2m_Common
+ FS::option_Common );
use strict;
use vars qw( $DEBUG $me );
}
$error = $self->SUPER::insert(@_);
+ if ( $self->_password ) {
+ $error ||= $self->insert_password_history;
+ }
if ( $error ) {
$dbh->rollback or die $dbh->errstr if $oldAutoCommit;
);
my $error = $new->SUPER::replace($old, @_);
+ if ( $old->_password ne $new->_password ) {
+ $error ||= $new->insert_password_history;
+ }
if ( $error ) {
$dbh->rollback or die $dbh->errstr if $oldAutoCommit;
=item change_password NEW_PASSWORD
+Changes the user's password to NEW_PASSWORD. This does not check password
+policy rules (see C<is_password_allowed>) and will return an error only if
+editing the user's record fails for some reason.
+
+If NEW_PASSWORD is the same as the existing password, this does nothing.
+
=cut
sub change_password {
package FS::contact;
-use base qw( FS::Record );
+use base qw( FS::Password_Mixin
+ FS::Record );
use strict;
use vars qw( $skip_fuzzyfiles );
}
+ my $error;
if ( $existing_contact ) {
$self->$_($existing_contact->$_())
for qw( contactnum _password _password_encoding );
- $self->SUPER::replace($existing_contact);
+ $error = $self->SUPER::replace($existing_contact);
} else {
- my $error = $self->SUPER::insert;
- if ( $error ) {
- $dbh->rollback if $oldAutoCommit;
- return $error;
- }
+ $error = $self->SUPER::insert;
}
+ $error ||= $self->insert_password_history;
+
+ if ( $error ) {
+ $dbh->rollback if $oldAutoCommit;
+ return $error;
+ }
+
my $cust_contact = '';
if ( $custnum ) {
my %hash = ( 'contactnum' => $self->contactnum,
}
my $error = $self->SUPER::replace($old);
+ if ( $old->_password ne $self->_password ) {
+ $error ||= $self->insert_password_history;
+ }
if ( $error ) {
$dbh->rollback if $oldAutoCommit;
return $error;
}
+=item change_password NEW_PASSWORD
+
+Changes the contact's selfservice access password to NEW_PASSWORD. This does
+not check password policy rules (see C<is_password_allowed>) and will return
+an error only if editing the record fails for some reason.
+
+If NEW_PASSWORD is the same as the existing password, this does nothing.
+
+=cut
+
sub change_password {
my($self, $new_password) = @_;
+ # do nothing if the password is unchanged
+ return if $self->authenticate_password($new_password);
+
$self->change_password_fields( $new_password );
$self->replace;
if ( length($cgi->param('_password')) ) {
my $password = scalar($cgi->param('_password'));
- $access_user->change_password_fields($password);
+ my $error = $access_user->is_password_allowed($password)
+ || $access_user->change_password($password);
}
}
% }
<%init>
+my $access_user = $FS::CurrentUser::CurrentUser;
+
if ( FS::Conf->new->exists('disable_acl_changes') ) {
errorpage("Preference changes disabled in public demo");
die "shouldn't be reached";
qw(_password new_password new_password2)
) {
- if ( $cgi->param('new_password') ne $cgi->param('new_password2') ) {
+ my $oldpass = $cgi->param('_password');
+ my $newpass = $cgi->param('new_password');
+
+ if ( $newpass ne $cgi->param('new_password2') ) {
$error = "New passwords don't match";
- } elsif ( ! length($cgi->param('new_password')) ) {
+ } elsif ( ! length($newpass) ) {
$error = 'No new password entered';
- } elsif ( ! FS::Auth->authenticate( $FS::CurrentUser::CurrentUser,
- scalar($cgi->param('_password')) )
- ) {
+ } elsif ( ! FS::Auth->authenticate( $access_user, $oldpass ) ) {
$error = 'Current password incorrect; password not changed';
} else {
- $error = $FS::CurrentUser::CurrentUser->change_password(
- scalar($cgi->param('new_password'))
- );
+ $error = $access_user->is_password_allowed($newpass)
+ || $access_user->change_password($newpass);
}
}
-my $access_user = $FS::CurrentUser::CurrentUser;
-
#well, if you got your password change wrong, you don't get anything else
#changed right now. but it should be sticky on the form
unless ( $error ) { # if ($access_user) {