mirror of
https://github.com/Jermolene/TiddlyWiki5
synced 2025-01-27 01:14:44 +00:00
c7531e53ab
* mws authentication * add more tests and permission checkers * add logic to ensure that only authenticated users' requests are handled * add custom login page * Implement user authentication as well as session handling * work on user operations authorization * add middleware to route handlers for bags & tiddlers routes * add feature that only returns the tiddlers and bags which the user has permission to access on index page * refactor auth routes & added user management page * fix Ci Test failure issue * fix users list page, add manage roles page * add commands and scripts to create new user & assign roles and permissions * resolved ci-test failure * add ACL permissions to bags & tiddlers on creation * fix comments and access control list bug * fix indentation issues * working on user profile edit * remove list users command & added support for database in server options * implement user profile update and password change feature * update plugin readme * implement command which triggers protected mode on the server * revert server-wide auth flag. Implement selective authorization * ACL management feature * Complete Access control list implementation * Added support to manage users' assigned role by admin * fix comments * fix comment * Add user profile management and account deletion functionality
69 lines
2.1 KiB
JavaScript
69 lines
2.1 KiB
JavaScript
/*\
|
|
title: $:/plugins/tiddlywiki/multiwikiserver/routes/handlers/change-password.js
|
|
type: application/javascript
|
|
module-type: mws-route
|
|
|
|
POST /change-user-password
|
|
|
|
\*/
|
|
(function () {
|
|
|
|
/*jslint node: true, browser: true */
|
|
/*global $tw: false */
|
|
"use strict";
|
|
var authenticator = require("$:/plugins/tiddlywiki/multiwikiserver/auth/authentication.js").Authenticator;
|
|
|
|
exports.method = "POST";
|
|
|
|
exports.path = /^\/change-user-password\/?$/;
|
|
|
|
exports.bodyFormat = "www-form-urlencoded";
|
|
|
|
exports.csrfDisable = true;
|
|
|
|
exports.handler = function (request, response, state) {
|
|
if(!state.authenticatedUser) {
|
|
response.writeHead(401, "Unauthorized", { "Content-Type": "text/plain" });
|
|
response.end("Unauthorized");
|
|
return;
|
|
}
|
|
var auth = authenticator(state.server.sqlTiddlerDatabase);
|
|
|
|
var userId = state.data.userId;
|
|
var newPassword = state.data.newPassword;
|
|
var confirmPassword = state.data.confirmPassword;
|
|
var currentUserId = state.authenticatedUser.user_id;
|
|
|
|
var hasPermission = ($tw.utils.parseInt(userId, 10) === currentUserId) || state.authenticatedUser.isAdmin;
|
|
|
|
if(!hasPermission) {
|
|
response.writeHead(403, "Forbidden", { "Content-Type": "text/plain" });
|
|
response.end("Forbidden");
|
|
return;
|
|
}
|
|
|
|
if(newPassword !== confirmPassword) {
|
|
response.setHeader("Set-Cookie", "flashMessage=New passwords do not match; Path=/; HttpOnly; Max-Age=5");
|
|
response.writeHead(302, { "Location": "/admin/users/" + userId });
|
|
response.end();
|
|
return;
|
|
}
|
|
|
|
var userData = state.server.sqlTiddlerDatabase.getUser(userId);
|
|
|
|
if(!userData) {
|
|
response.setHeader("Set-Cookie", "flashMessage=User not found; Path=/; HttpOnly; Max-Age=5");
|
|
response.writeHead(302, { "Location": "/admin/users/" + userId });
|
|
response.end();
|
|
return;
|
|
}
|
|
|
|
var newHash = auth.hashPassword(newPassword);
|
|
var result = state.server.sqlTiddlerDatabase.updateUserPassword(userId, newHash);
|
|
|
|
response.setHeader("Set-Cookie", `flashMessage=${result.message}; Path=/; HttpOnly; Max-Age=5`);
|
|
response.writeHead(302, { "Location": "/admin/users/" + userId });
|
|
response.end();
|
|
};
|
|
|
|
}()); |