let users change their password william nilliam

2025-05-28 04:43:49 +03:00
parent 1e5e2a2c27
commit aa49d8e4b9
3 changed files with 51 additions and 3 deletions
--- a/apps/users.lua
+++ b/apps/users.lua
@@ -116,6 +116,11 @@ app:post("user_delete", "/:username/delete", function(self)
    return {redirect_to = self:url_for("user", {username = self.params.username})}
  end
  
+  if me:is_admin() then
+    util.inject_err_infobox("You can not delete the admin account!")
+    return {redirect_to = self:url_for("user", {username = self.params.username})}
+  end
+  
  if not authenticate_user(target_user, self.params.password) then
    util.inject_err_infobox(self, "The password you entered is incorrect.")
    return {redirect_to = self:url_for("user_delete_confirm", {username = me.username})}
@@ -199,6 +204,35 @@ app:post("user_set_avatar", "/:username/set_avatar", function(self)
  return {redirect_to = self:url_for("user_settings", {username = self.params.username})}
 end)

+app:post("user_change_password", "/:username/new_password", function(self)
+  local me = util.get_logged_in_user(self)
+  if not me then
+    return {redirect_to = self:url_for("user_settings", {username = self.params.username})}
+  end
+  local target_user = Users:find({username = self.params.username})
+  if me.id ~= target_user.id then
+    return {redirect_to = self:url_for("user", {username = self.params.username})}
+  end
+  local password = self.params.new_password
+  local password2 = self.params.new_password2
+  if not validate_password(password) then
+    util.inject_err_infobox(self, "Password must be 10+ chars with: 1 uppercase, 1 lowercase, 1 number, 1 special char, and no spaces.")
+    return {redirect_to = self:url_for("user_settings", {username = self.params.username})}
+  end
+  
+  if password ~= password2 then
+    util.inject_err_infobox(self, "Passwords do not match.")
+    return {redirect_to = self:url_for("user_settings", {username = self.params.username})}
+  end
+  
+  me:update({
+    password_hash = auth.digest(password)
+  })
+  util.extend_session_cookie(self)
+  util.inject_infobox(self, "Password updated.")
+  return {redirect_to = self:url_for("user_settings", {username = self.params.username})}
+end)
+
 app:get("user_settings", "/:username/settings", function(self)
  local me = util.get_logged_in_user(self)
  if me == nil then
@@ -345,6 +379,7 @@ app:post("user_logout", "/logout", function (self)

  local session = Sessions:find({key = self.session.session_key})
  session:delete()
+  self.session = nil
  return {redirect_to = self:url_for("user_login")}
 end)

--- a/util.lua
+++ b/util.lua
@@ -165,6 +165,10 @@ end

 -- OTHER API

+function util.extend_session_cookie(req)
+  req.session.last_activity = os.time()
+end
+
 function util.validate_and_create_image(input_image, filename)
  local img = magick.load_image_from_blob(input_image)

--- a/views/user/settings.etlua
+++ b/views/user/settings.etlua
@@ -21,7 +21,16 @@
    <% render("views.common.babycode-editor-component", {ta_name = "signature", prefill = me.signature_original_markup, ta_placeholder = "Will be shown under each of your posts", optional = true}) %>
    <input type="submit" value="Save settings">
  </form>
-  <div>
-  <a class="linkbutton critical" href="<%= url_for("user_delete_confirm", {username = me.username}) %>">Delete account</a>
-  </div>
+  <form method="post" action="<%= url_for("user_change_password", {username = me.username}) %>">
+    <label for="new_password">Change password</label><br>
+    <input type="password" id="new_password" name="new_password" pattern="(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[\W_])(?!.*\s).{10,}" title="10+ chars with: 1 uppercase, 1 lowercase, 1 number, 1 special char, and no spaces" required autocomplete="new-password"><br>
+    <label for="new_password2">Confirm new password</label><br>
+    <input type="password" id="new_password2" name="new_password2" pattern="(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[\W_])(?!.*\s).{10,}" title="10+ chars with: 1 uppercase, 1 lowercase, 1 number, 1 special char, and no spaces" required autocomplete="new-password"><br>
+    <input class="warn" type="submit" value="Change password">
+  </form>
+  <% if not me:is_admin() then %>
+    <div>
+      <a class="linkbutton critical" href="<%= url_for("user_delete_confirm", {username = me.username}) %>">Delete account</a>
+    </div>
+  <% end %>
 </div>