aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Okay <okay@toyful.space>2022-02-28 15:53:12 -0600
committerColin Okay <okay@toyful.space>2022-02-28 15:53:12 -0600
commit10723dd63fd328e7764bd2386a7665240c6074ae (patch)
treeae4ced0981e51d1749101413c357c2873e331b73
parent1c3e5923390a381e07acd6a725c04419a443e085 (diff)
password change requires current password
-rw-r--r--src/main.lisp13
1 files changed, 12 insertions, 1 deletions
diff --git a/src/main.lisp b/src/main.lisp
index 2c00512..5dde475 100644
--- a/src/main.lisp
+++ b/src/main.lisp
@@ -608,26 +608,35 @@ started, this will allow remote live debugging of the system.
(and (stringp signature)
(<= (length signature) +oneliner-brief-max-length+)))
-
+(defun is-current-password-p (contributor pw)
+ (with-slots (salt hashed-pw) contributor
+ (equal hashed-pw (pw-hash pw salt))))
;;; ENDPOINT DEFINITIONS
(defendpoint* :get "/contributor/:who a-contributor-by-handle:" () ()
+ "Return a [contributor](#contributor) data object."
(to-json who))
(defendpoint* :put "/contributor/:who a-contributor-by-handle:/locked" ((value a-boolean)
(token an-api-token))
+ "Admin users may lock a particular contributor, preventing that
+contributor for making edits or adding new oneliners."
(:auth 'admin-only)
(set-contributor-locked who value)
"true")
(defendpoint* :put "/contributor/:who a-contributor-by-handle:/password" ((value a-string)
(repeated a-string)
+ (current a-string)
(token an-api-token))
(:auth t)
+ "Change a contributor's password."
(unless (or (eq who (api-contributor token))
(adminp (api-contributor token)))
(http-err 403 "Cannot change that password."))
+ (unless (is-current-password-p who current)
+ (http-err 400 "The old password is incorrect."))
(unless (equalp value repeated)
(http-err 400 "The two passwords do not match."))
(update-password who value)
@@ -635,6 +644,7 @@ started, this will allow remote live debugging of the system.
(defendpoint* :put "/contributor/:who a-contributor-by-handle:/signature" ((token an-api-token))
(:auth t)
+ "Update a [contributor's](#contributor) signature."
(unless (or (eq who (api-contributor token))
(adminp (api-contributor token)))
(http-err 403))
@@ -674,6 +684,7 @@ started, this will allow remote live debugging of the system.
(or (eq requesting-contributor target-contributor)
(adminp requesting-contributor)))
+;TODO: Might rewrite this to be by user-name
(defendpoint* :delete "/access/:access an-api-token:" ((token an-api-token))
(:auth t)
"Revoke access of CONTRIBUTOR"