diff options
| author | Colin Okay <okay@toyful.space> | 2022-02-28 15:53:12 -0600 |
|---|---|---|
| committer | Colin Okay <okay@toyful.space> | 2022-02-28 15:53:12 -0600 |
| commit | 10723dd63fd328e7764bd2386a7665240c6074ae (patch) | |
| tree | ae4ced0981e51d1749101413c357c2873e331b73 | |
| parent | 1c3e5923390a381e07acd6a725c04419a443e085 (diff) | |
password change requires current password
| -rw-r--r-- | src/main.lisp | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/src/main.lisp b/src/main.lisp index 2c00512..5dde475 100644 --- a/src/main.lisp +++ b/src/main.lisp @@ -608,26 +608,35 @@ started, this will allow remote live debugging of the system. (and (stringp signature) (<= (length signature) +oneliner-brief-max-length+))) - +(defun is-current-password-p (contributor pw) + (with-slots (salt hashed-pw) contributor + (equal hashed-pw (pw-hash pw salt)))) ;;; ENDPOINT DEFINITIONS (defendpoint* :get "/contributor/:who a-contributor-by-handle:" () () + "Return a [contributor](#contributor) data object." (to-json who)) (defendpoint* :put "/contributor/:who a-contributor-by-handle:/locked" ((value a-boolean) (token an-api-token)) + "Admin users may lock a particular contributor, preventing that +contributor for making edits or adding new oneliners." (:auth 'admin-only) (set-contributor-locked who value) "true") (defendpoint* :put "/contributor/:who a-contributor-by-handle:/password" ((value a-string) (repeated a-string) + (current a-string) (token an-api-token)) (:auth t) + "Change a contributor's password." (unless (or (eq who (api-contributor token)) (adminp (api-contributor token))) (http-err 403 "Cannot change that password.")) + (unless (is-current-password-p who current) + (http-err 400 "The old password is incorrect.")) (unless (equalp value repeated) (http-err 400 "The two passwords do not match.")) (update-password who value) @@ -635,6 +644,7 @@ started, this will allow remote live debugging of the system. (defendpoint* :put "/contributor/:who a-contributor-by-handle:/signature" ((token an-api-token)) (:auth t) + "Update a [contributor's](#contributor) signature." (unless (or (eq who (api-contributor token)) (adminp (api-contributor token))) (http-err 403)) @@ -674,6 +684,7 @@ started, this will allow remote live debugging of the system. (or (eq requesting-contributor target-contributor) (adminp requesting-contributor))) +;TODO: Might rewrite this to be by user-name (defendpoint* :delete "/access/:access an-api-token:" ((token an-api-token)) (:auth t) "Revoke access of CONTRIBUTOR" |