17885da38bd883cbc4c415cacb3aa32c13c5759d chinhli Sun May 6 22:40:06 2012 -0700 Finished forcing user to change password. diff --git src/hg/hgLogin/hgLogin.c src/hg/hgLogin/hgLogin.c index c490c58..8f06ff8 100644 --- src/hg/hgLogin/hgLogin.c +++ src/hg/hgLogin/hgLogin.c @@ -508,31 +508,31 @@ "\n" "</div><!-- END - changePwBox -->" "\n" ); cartSaveSession(cart); } void changePassword(struct sqlConnection *conn) /* process the change password form */ { char query[256]; char *user = cartUsualString(cart, "hgLogin_userName", ""); char *currentPassword = cartUsualString(cart, "hgLogin_password", ""); char *newPassword1 = cartUsualString(cart, "hgLogin_newPassword1", ""); char *newPassword2 = cartUsualString(cart, "hgLogin_newPassword2", ""); - +char *changeRequired = cartUsualString(cart, "hgLogin_changeRequired", ""); if (!user || sameString(user,"")) { freez(&errMsg); errMsg = cloneString("Username cannot be blank."); changePasswordPage(conn); return; } if (!currentPassword || sameString(currentPassword,"")) { freez(&errMsg); errMsg = cloneString("Current password cannot be blank."); changePasswordPage(conn); return; } @@ -545,45 +545,64 @@ } if (!newPassword2 || sameString(newPassword2,"") ) { freez(&errMsg); errMsg = cloneString("Re-enter New Password field cannot be blank."); changePasswordPage(conn); return; } if (newPassword1 && newPassword2 && !sameString(newPassword1, newPassword2)) { freez(&errMsg); errMsg = cloneString("New passwords do not match."); changePasswordPage(conn); return; } -/* check username existence first */ +/* check username existence and is user using a new password */ +char *password; +if (changeRequired && sameString(changeRequired, "YES")) +{ +safef(query,sizeof(query), "select newPassword from gbMembers where userName='%s'", user); +password = sqlQuickString(conn, query); +if ((!password) || (password && !checkPwd(currentPassword,password))) + { + freez(&errMsg); + errMsg = cloneString("Invalid user name or password. (changePwd YES)"); + char temp[4256]; + safef(temp, sizeof(temp),"currentPWD: %s passwd: %s", currentPassword,password); + hPrintf("<P>\n%s\n</P>", temp); + if (checkPwd(currentPassword,password)) hPrintf("<P> Password match!! </P>"); + else hPrintf("<P> Password does NOT match!! </P>"); + changePasswordPage(conn); + return; + } +} else { safef(query,sizeof(query), "select password from gbMembers where userName='%s'", user); -char *password = sqlQuickString(conn, query); +password = sqlQuickString(conn, query); if ((!password) || (password && !checkPwd(currentPassword,password))) { freez(&errMsg); - errMsg = cloneString("Invalid user name or password."); + errMsg = cloneString("Invalid user name or password. (changePwd No)"); changePasswordPage(conn); return; } - +} char encPwd[45] = ""; encryptNewPwd(newPassword1, encPwd, sizeof(encPwd)); safef(query,sizeof(query), "update gbMembers set password='%s' where userName='%s'", sqlEscapeString(encPwd), sqlEscapeString(user)); sqlUpdate(conn, query); +clearNewPasswordFields(conn, user); hPrintf ( "<h2>UCSC Genome Browser</h2>" "<p align=\"left\">" "</p>" "<h3>Password has been changed.</h3>" ); backToDoLoginPage(2); cartRemove(cart, "hgLogin_password"); cartRemove(cart, "hgLogin_newPassword1"); cartRemove(cart, "hgLogin_newPassword2"); } @@ -890,33 +909,53 @@ displayAccHelpPage(conn); return; } } lostPassword(conn, username); //sendNewPassword(conn, username, password); return; } // cartRemove(cart, "hgLogin_helpWith"); // cartRemove(cart, "hgLogin_email"); // cartRemove(cart, "hgLogin_userName"); displayAccHelpPage(conn); return; } +void clearNewPasswordFields(struct sqlConnection *conn, char *username) +/* clear the newPassword fields */ +{ +char query[256]; +safef(query,sizeof(query), "update gbMembers set lastUse=NOW(),newPassword='', newPasswordExpire='', passwordChangeRequired='N' where userName='%s'", +sqlEscapeString(username)); +sqlUpdate(conn, query); +cartRemove(cart, "hgLogin_changeRequired"); +return; +} /* ----- account login/display functions ---- */ - +boolean usingNewPassword(struct sqlConnection *conn, char *userName) +/* The user is using requested new password */ +{ +char query[256]; +safef(query,sizeof(query), "select passwordChangeRequired from gbMembers where userName='%s'", userName); +char *change = sqlQuickString(conn, query); +if (change || sameString(change, "Y")) + return TRUE; +else + return FALSE; +} void displayLoginPage(struct sqlConnection *conn) /* draw the account login page */ { char *username = cartUsualString(cart, "hgLogin_userName", ""); /* for password security, use cgi hash instead of cart */ // char *password = cgiUsualString("hgLogin_password", ""); hPrintf( "<div id=\"loginBox\" class=\"centeredContainer formBox\">" "\n" "<h2>UCSC Genome Browser</h2>" "\n" "<h3>Login</h3>" "\n" @@ -995,36 +1034,41 @@ errMsg = cloneString(temp); displayLoginPage(conn); return; } struct gbMembers *m = gbMembersLoad(row); sqlFreeResult(&sr); /* TODO: check user name exist and activated */ /* ..... */ if (checkPwd(password,m->password)) { unsigned int userID=m->idx; hPrintf("<h2>Login successful for user %s with id %d.\n</h2>\n" ,userName,userID); + clearNewPasswordFields(conn, userName); displayLoginSuccess(userName,userID); return; + } else if (usingNewPassword(conn, userName)) + { + cartSetString(cart, "hgLogin_changeRequired", "YES"); + changePasswordPage(conn); } else { - errMsg = cloneString("Invalid user name or password."); + errMsg = cloneString("Invalid user name or password. (login)"); displayLoginPage(conn); return; } gbMembersFree(&m); } /******* END dispalyLogin *************************/ void displayLoginSuccess(char *userName, int userID) /* display login success msg, and set cookie */ { // char *hgLoginHost = wikiLinkHost(); hPrintf(