From 10723dd63fd328e7764bd2386a7665240c6074ae Mon Sep 17 00:00:00 2001
From: Colin Okay <okay@toyful.space>
Date: Mon, 28 Feb 2022 15:53:12 -0600
Subject: password change requires current password

---
 src/main.lisp | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/main.lisp b/src/main.lisp
index 2c00512..5dde475 100644
--- a/src/main.lisp
+++ b/src/main.lisp
@@ -608,26 +608,35 @@ started, this will allow remote live debugging of the system.
   (and (stringp signature)
        (<= (length signature) +oneliner-brief-max-length+)))
 
-
+(defun is-current-password-p (contributor pw)
+  (with-slots (salt hashed-pw) contributor
+      (equal hashed-pw (pw-hash pw salt))))
 
 ;;; ENDPOINT DEFINITIONS
 
 (defendpoint* :get "/contributor/:who a-contributor-by-handle:" () ()
+  "Return a [contributor](#contributor) data object."
   (to-json who))
 
 (defendpoint* :put "/contributor/:who a-contributor-by-handle:/locked" ((value a-boolean)
                                                                         (token an-api-token))
+  "Admin users may lock a particular contributor, preventing that
+contributor for making edits or adding new oneliners."
   (:auth 'admin-only)
   (set-contributor-locked who value)
   "true")
 
 (defendpoint* :put "/contributor/:who a-contributor-by-handle:/password" ((value a-string)
                                                                           (repeated a-string)
+                                                                          (current a-string)
                                                                           (token an-api-token))
   (:auth t)
+  "Change a contributor's password."
   (unless (or (eq who (api-contributor token))
               (adminp (api-contributor token)))
     (http-err 403 "Cannot change that password."))
+  (unless (is-current-password-p who current)
+    (http-err 400 "The old password is incorrect."))
   (unless (equalp value repeated)
     (http-err 400 "The two passwords do not match."))
   (update-password who value)
@@ -635,6 +644,7 @@ started, this will allow remote live debugging of the system.
 
 (defendpoint* :put "/contributor/:who a-contributor-by-handle:/signature" ((token an-api-token))
   (:auth t)
+  "Update a [contributor's](#contributor) signature."
   (unless (or (eq who (api-contributor token))
               (adminp (api-contributor token)))
     (http-err 403))
@@ -674,6 +684,7 @@ started, this will allow remote live debugging of the system.
   (or (eq requesting-contributor target-contributor)
       (adminp requesting-contributor)))
 
+;TODO: Might rewrite this to be by user-name
 (defendpoint* :delete "/access/:access an-api-token:" ((token an-api-token))
   (:auth t)
   "Revoke access of CONTRIBUTOR"
-- 
cgit v1.2.3