From c27e5d3d34d01e9584580ce09e71d29c895b8d49 Mon Sep 17 00:00:00 2001
From: Marian Sigler <m@qjym.de>
Date: Wed, 26 Sep 2012 20:06:25 +0200
Subject: Fix password change; Don't require old password for settings changes

---
 app.py                  | 5 ++++-
 forms.py                | 2 --
 templates/settings.html | 1 -
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/app.py b/app.py
index 518be05..7c2a1cf 100644
--- a/app.py
+++ b/app.py
@@ -52,6 +52,7 @@ def index():
 @logout_required
 def register():
     #TODO: check for double uids
+    #TODO: check for double mails
     form = RegisterForm(request.form)
     if request.method == 'POST' and form.validate():
         username = form.username.data
@@ -164,6 +165,7 @@ def settings():
 
         if request.form.get('submit_main'):
             if form.mail.data and form.mail.data != g.user.mail:
+                #TODO: check for uniqueness
                 confirm_token = make_confirmation('change_mail', (g.user.uid, form.mail.data))
                 confirm_link = url_for('change_mail', token=confirm_token, _external=True)
 
@@ -179,7 +181,7 @@ def settings():
                 changed = True
 
             if form.password.data:
-                g.user.change_password(form.password.data, session['password'])
+                g.user.change_password(form.password.data, decrypt_password(session['password']))
                 session['password'] = encrypt_password(form.password.data)
 
                 flash(u'Passwort geändert', 'success')
@@ -211,6 +213,7 @@ def settings():
 @app.route('/settings/change_mail/<token>')
 @login_required
 def change_mail(token):
+    #TODO: check for uniqueness
     username, mail = http_verify_confirmation('change_mail', token.encode('ascii'), timeout=3*24*60*60)
 
     if g.user.uid != username:
diff --git a/forms.py b/forms.py
index ff54449..a58f98b 100644
--- a/forms.py
+++ b/forms.py
@@ -38,8 +38,6 @@ class LostPasswordForm(Form):
 
 
 class SettingsForm(Form):
-    old_password = PasswordField('Bisheriges Passwort',
-                                 [validators.Required(u'Bitte gib dein (altes) Passwort an, um deine Daten zu ändern.')])
     password = PasswordField('Neues Passwort', [validators.Optional(),
                                                 validators.EqualTo('password_confirm', message=u'Passwörter stimmen nicht überein')])
     password_confirm = PasswordField(u'Passwort bestätigen')
diff --git a/templates/settings.html b/templates/settings.html
index de317fb..064e5af 100644
--- a/templates/settings.html
+++ b/templates/settings.html
@@ -3,7 +3,6 @@
 {%- set title = 'Einstellungen' %}
 {%- block content %}
 <form action="{{ url_for('settings') }}" method="post" class="form-horizontal">
-  {{ render_field(form.old_password, autofocus="autofocus") }}
   <h2>Globale Einstellungen ändern</h2>
   {{ render_field(form.mail) }}
   {{ render_field(form.password) }}
-- 
cgit v1.2.3-1-g7c22