what I mean is... if uer email is error prone (or potentially malicious), I
would act "as if" I were creating a new user record by cloning the existing
record, changing the email address...
Then you would not need to get "clever" in your code - you could simply
create a field for this operation in the user table, and do this: leave old
login active until new one authorizes (replies); set a special flag in new
linking authentication to old record, and upon authentication, enable new
record, disable (lock) old. Then all you have to worry about is if somehow
comes back to an old email address - but that is a good way to catch faulty
behavior...
anyway, this is what I meant when I said I don't know if I'd go about it the
way you are....
Regards,
- Yarko
On Tue, Jun 30, 2009 at 2:12 PM, Yarko Tymciurak <yark...@gmail.com> wrote:
> I'm not sure if the way you are going about it is the way I would do it...
>
> .... but for what you are trying to do, suggest you look at gluon/tools.py
> at Auth.login_bare() for some ideas...
>
>
> On Tue, Jun 30, 2009 at 1:51 PM, Yannick <ytchatch...@gmail.com> wrote:
>
>>
>> Hell Yarko,
>> Thanks for the note but you didn't really understand the problem, i do
>> know about the decorator and use it on my app.. My application has a
>> functionality that allow users to change their email (The email they
>> provide during registration process) and to do so they have to provide
>> their password so i can verify the password before changing the email
>> since changing the email is a sensitive process...
>> I wanted to know How to verify the password since the password is save
>> as an encrypted string...
>> here is what i did in my action class:
>>
>> ....
>> users = auth.db((db.auth_user.id == session.auth.user.id)&
>> (db.auth_user.oldemail == request.vars.oldemail)).select()
>> if users:
>> user = users[0]
>> if user['password'] != request.vars.get('password',''):
>> # the password not valid don't update the new email
>> else:
>> # password is valid and update the email
>> db(db.auth_user.id == session.auth.user.id).update
>> (email=request.vars.newEmail)
>> ....
>>
>> This password verification is not working and I was wondering how can
>> I make it work... I think its a very small thing that I'm missing...
>>
>> Thanks again,
>> Yannick P.
>>
>> On Jun 30, 11:36 am, Yarko Tymciurak <yark...@gmail.com> wrote:
>> > All you should have to do is add an authorization decorator to your
>> > function, e.g.:
>> >
>> > @auth.requires_login()
>> > def my_user_email_updater()
>> > # your stuff here
>> > return dict()
>> >
>> > Look at the Authorization section inhttp://
>> www.web2py.com/examples/default/tools
>> >
>> > On Tue, Jun 30, 2009 at 7:16 AM, Hans Donner <hans.don...@pobox.com>
>> wrote:
>> >
>> > > I think you should more look at how the login checks the password, and
>> > > not try to decrypt the password.
>> >
>> > > On Tue, Jun 30, 2009 at 2:05 PM, Yannick<ytchatch...@gmail.com>
>> wrote:
>> >
>> > > > Hello mate,
>> > > > In my application I have this functionality that allow the users to
>> > > > change their email address and in order to do so they need to
>> provide
>> > > > their password for authentication....
>> > > > Since the password is encrypted in the DB... How can I decrypt it
>> for
>> > > > verification ?
>> > > > Here is my controller:
>> >
>> > > > @auth.requires_login()
>> > > > def changeEmail():
>> >
>> > > > current_email = auth.db(db.auth_user.id ==
>> > > > session.auth.user.id).select()[0].email
>> >
>> > > > from gluon.sqlhtml import form_factory
>> > > > chgEmailform = form_factory(
>> > > > SQLField('email',label='Old
>> > > > Email',requires=IS_NOT_EMPTY(), default="%s"%current_email),
>> > > > SQLField('newEmail',label='New
>> > > > email',requires=IS_NOT_EMPTY(), default=''),
>> > > > SQLField
>> > > > ('password',label='password',requires=CRYPT(),type='password'),)
>> >
>> > > > if chgEmailform.accepts(request.vars, session, keepvalues=True,
>> > > > formname='email'):
>> >
>> > > > users = auth.db((db.auth_user.id == session.auth.user.id)&
>> > > > (db.auth_user.email == request.vars.email))\
>> > > > .select()
>> > > > print users
>> >
>> > > > if users:
>> > > > user = users[0]
>> > > > if user['password'] != request.vars.get('password',''):
>> >
>> > > > session.flash = 'Password not valid Please Try
>> again'
>> >
>> > > > else:
>> > > > db(db.auth_user.id == session.auth.user.id).update
>> > > > (email=request.vars.newEmail)
>> >
>> > > > return dict(form = chgEmailform)
>> >
>> > > > Thanks for your help,
>> >
>> > > > Cheers,
>> > > > Yannick P.
>> >>
>>
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web2py Web Framework" group.
To post to this group, send email to web2py@googlegroups.com
To unsubscribe from this group, send email to
web2py+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/web2py?hl=en
-~----------~----~----~----~------~----~------~--~---
