diff options
author | Jonathan Prykop <jonathan@freeside.biz> | 2015-11-21 01:54:21 -0600 |
---|---|---|
committer | Jonathan Prykop <jonathan@freeside.biz> | 2015-12-14 20:21:41 -0600 |
commit | 32b783795ee3a39752fc72f2c861eac8cdb6d12a (patch) | |
tree | 9fca89413ee5aceca3ad6b8a547dea3da37a3f4d /httemplate/misc | |
parent | a2d1bca6d13c6760f2c7c2de677da4df3f9e5c3e (diff) |
RT#29354: Password Security in Email
Diffstat (limited to 'httemplate/misc')
-rw-r--r-- | httemplate/misc/xmlhttp-validate_password.html | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/httemplate/misc/xmlhttp-validate_password.html b/httemplate/misc/xmlhttp-validate_password.html new file mode 100644 index 000000000..28dbf6460 --- /dev/null +++ b/httemplate/misc/xmlhttp-validate_password.html @@ -0,0 +1,50 @@ +<%doc> +Requires cgi params 'password' (plaintext) and 'sub' ('validate_password' is only +acceptable value.) Also accepts 'svcnum' (for svc_acct, will otherwise create an +empty dummy svc_acct) and 'fieldid' (for html post-processing, passed along in +results for convenience.) + +Returns a json-encoded hashref with keys of 'valid' (set to 1 if object is valid), +'error' (error text if password is invalid) or 'syserror' (error text if password +could not be validated.) Only one of these keys will be set. Will also set +'fieldid' if it was passed. +</%doc> + +<% encode_json($result) %> + +<%init> + +my $validate_password = sub { + my %arg = $cgi->param('arg'); + my %result; + + $result{'fieldid'} = $arg{'fieldid'} + if $arg{'fieldid'} =~ /^\w+$/; + + $result{'syserror'} = 'Request is not POST' unless $cgi->request_method eq 'POST'; + return \%result if $result{'syserror'}; + + my $password = $arg{'password'}; + $result{'syserror'} = 'Invoked without password' unless $password; + return \%result if $result{'syserror'}; + + my $svcnum = $arg{'svcnum'}; + $result{'syserror'} = 'Invalid svcnum' unless $svcnum =~ /^\d*$/; + return \%result if $result{'syserror'}; + + my $svc_acct = $svcnum + ? qsearchs('svc_acct',{'svcnum' => $svcnum}) + : (new FS::svc_acct {}); + $result{'syserror'} = 'Could not find service' unless $svc_acct; + return \%result if $result{'syserror'}; + + $result{'error'} = $svc_acct->is_password_allowed($password); + $result{'valid'} = 1 unless $result{'error'}; + return \%result; +}; + +my $result = ($cgi->param('sub') eq 'validate_password') + ? &$validate_password() + : { 'syserror' => 'Invalid sub' }; + +</%init> |