diff options
author | Jonathan Prykop <jonathan@freeside.biz> | 2015-12-02 05:02:17 -0600 |
---|---|---|
committer | Jonathan Prykop <jonathan@freeside.biz> | 2015-12-14 20:22:09 -0600 |
commit | 8cd6e05d5d906da6b001b36bab5aa87ecdfca944 (patch) | |
tree | 4ad1a33fa011bc8a5b84bea69b9afebb6bd5d110 /FS/FS/ClientAPI | |
parent | 4ff9a50fe7f35179314967d71ae66b696ab006c5 (diff) |
RT#29354: Password Security in Email [xmlhttp validation for selfservice]
Diffstat (limited to 'FS/FS/ClientAPI')
-rw-r--r-- | FS/FS/ClientAPI/MyAccount.pm | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/FS/FS/ClientAPI/MyAccount.pm b/FS/FS/ClientAPI/MyAccount.pm index 9847e5f..33a8e61 100644 --- a/FS/FS/ClientAPI/MyAccount.pm +++ b/FS/FS/ClientAPI/MyAccount.pm @@ -3308,6 +3308,45 @@ sub process_reset_passwd { } +sub validate_passwd { + my $p = shift; + + my %result; + %result = ( 'fieldid' => $p->{'fieldid'} ) + if $p->{'fieldid'} =~ /^\w+$/; + + return { %result, 'password_invalid' => 'Enter new password' } + unless length($p->{'check_password'}); + + my $svc_acct; + if ($p->{'svcnum'}) { + # false laziness with myaccount_passwd + my($context, $session, $custnum) = _custoragent_session_custnum($p); + return { %result, 'error' => $session } if $context eq 'error'; + + $custnum =~ /^(\d+)$/ or die "illegal custnum"; + my $search = " AND custnum = $1"; + $search .= " AND agentnum = ". $session->{'agentnum'} if $context eq 'agent'; + + $svc_acct = qsearchs( { + 'table' => 'svc_acct', + 'addl_from' => 'LEFT JOIN cust_svc USING ( svcnum ) '. + 'LEFT JOIN cust_pkg USING ( pkgnum ) '. + 'LEFT JOIN cust_main USING ( custnum ) ', + 'hashref' => { 'svcnum' => $p->{'svcnum'}, }, + 'extra_sql' => $search, #important + } ) + or return { %result, 'error' => "Service not found" }; + # end false laziness + } + + $svc_acct ||= new FS::svc_acct {}; + + my $error = $svc_acct->is_password_allowed($p->{'check_password'}); + return { %result, 'password_invalid' => $error } if $error; + return { %result, 'password_valid' => 1 }; +} + sub list_tickets { my $p = shift; my($context, $session, $custnum) = _custoragent_session_custnum($p); |