dc1ea9157234ff28748d2f231ef8d7ff647be146
chinhli
  Wed Jun 20 10:13:10 2012 -0700
Bug #8294 Check generated new password is correct before let the user login and change password.
diff --git src/hg/hgLogin/hgLogin.c src/hg/hgLogin/hgLogin.c
index 7cb67d2..781768a 100644
--- src/hg/hgLogin/hgLogin.c
+++ src/hg/hgLogin/hgLogin.c
@@ -1012,37 +1012,39 @@
         if (!password)
             {
             freez(&errMsg);
             errMsg = cloneString("Username not found.");
             displayAccHelpPage(conn);
             return;
             }
         }
     lostPassword(conn, username);
     return;
     }
 displayAccHelpPage(conn);
 return;
 }
 
-boolean usingNewPassword(struct sqlConnection *conn, char *userName)
+boolean usingNewPassword(struct sqlConnection *conn, char *userName, char *password)
 /* The user is using  requested new password */
 {
 char query[256];
 safef(query,sizeof(query), "select passwordChangeRequired from gbMembers where userName='%s'", userName);
 char *change = sqlQuickString(conn, query);
-if (change && sameString(change, "Y"))
+safef(query,sizeof(query), "select newPassword from gbMembers where userName='%s'", userName);
+char *newPassword = sqlQuickString(conn, query);
+if (change && sameString(change, "Y") && checkPwd(password, newPassword))
     return TRUE;
 else
     return FALSE;
 }
 
 char *getCookieDomainName()
 /* Return domain name to be used by the cookies or NULL. Allocd here.   */
 /* Return central.domain if returnToURL is also in the same domain.     */
 /* else return the domain in returnTo URL generated by remote hgSession.*/
 {
 char *centralDomain=cloneString(cfgOption(CFG_CENTRAL_DOMAIN));
 char *returnURL = getReturnToURL();
 char returnToDomain[256];
 
 /* parse the URL */
@@ -1121,31 +1123,31 @@
     {              
     freez(&errMsg);
     errMsg = cloneString("Account is not activated.");
     displayLoginPage(conn);
     return;
     }
 if (checkPwd(password,m->password))
     {
     unsigned int userID=m->idx;  
     hPrintf("<h2>Login successful for user %s with id %d.\n</h2>\n"
         ,userName,userID);
     clearNewPasswordFields(conn, userName);
     displayLoginSuccess(userName,userID);
     return;
     } 
-else if (usingNewPassword(conn, userName))
+else if (usingNewPassword(conn, userName, password))
     {
     cartSetString(cart, "hgLogin_changeRequired", "YES");
     changePasswordPage(conn);
     } 
 else
     {
     errMsg = cloneString("Invalid user name or password.");
     displayLoginPage(conn);
     return;
     }
 gbMembersFree(&m);
 }
 
 void  displayLogoutSuccess()
 /* display logout success msg, and reset cookie */