1 files changed, 31 insertions, 16 deletions

diff --git a/lib/CatDap/Controller/user.pm b/lib/CatDap/Controller/user.pm
index e2ce800..f0220f2 100644
--- a/lib/CatDap/Controller/user.pm
+++ b/lib/CatDap/Controller/user.pm
@@ -47,8 +47,6 @@ it (we need to handle failure to decrypt it better)
 
 sub auto : Private {
     my ( $self, $c ) = @_;
-    $c->log->info("Request path is currently: " . $c->req->path);
-    $c->log->info(Dumper($c->req->path));
     if ($c->req->path eq 'user/firstlogin') {
 	return 1;
     }
@@ -56,9 +54,16 @@ sub auto : Private {
     my $password;
     my $mesg;
     my $dn;
+    my @errors;
     my $keyprefix = sprintf("%02x%02x%02x",split /\./,$c->req->address);
-    if (! defined $c->user) {
-        $c->log->info("No session, logging user in");
+    if (! defined $c->user or not $c->req->cookie('key')) {
+	if (not $c->req->param('password')) {
+	    push @errors,$c->loc('Your session has expired');
+	    $c->stash(template => 'index.tt',errors => \@errors);
+	    $c->detach;
+	}
+
+        $c->log->debug("No session, logging user in");
         if (! $c->authenticate({ username => $c->req->param('username'),
                     password => $c->req->param('password') || $c->req->param('key')}) ) {
 
@@ -74,7 +79,7 @@ sub auto : Private {
             #	$c->res->redirect('/user');
             #}
             #$c->persist_user;
-            $c->log->info('Logging user in to LDAP');
+            $c->log->debug('Logging user in to LDAP');
 
             my $ug =  Data::UUID->new;
             my $key = $ug->create_str();
@@ -96,7 +101,7 @@ sub auto : Private {
             -cipher => 'Blowfish'
           ) or die $!;
         $password = $cipher->decrypt($c->session->{enc_password});
-        $c->log->info("Re-authenticating user " . $c->user->username);
+        $c->log->debug("Re-authenticating user " . $c->user->username);
         $c->authenticate({username => $c->user->username,password => $password});
 	$c->res->cookies->{'key'} = {value => $key, expires => '+10m'};
 
@@ -131,7 +136,7 @@ sub index :Path :Args(0) {
 
     my $user = $c->user->username;
     my $entry;
-    $c->log->info("Searching for user $user");
+    $c->log->debug("Searching for user $user");
     $mesg = $c->model('User')->search("(&(objectclass=inetOrgPerson)(uid=$user))");
     $entry = $mesg->entry;
     my %mods;
@@ -157,9 +162,9 @@ sub index :Path :Args(0) {
     }
 
     $mesg = $c->model('User')->search("(&(objectclass=inetOrgPerson)(uid=$user))");
-    $c->log->info($mesg->error) if $mesg->code;
+    $c->log->debug($mesg->error) if $mesg->code;
     $entry = $mesg->entry;
-    $c->log->info($mesg->error) if $mesg->code;
+    $c->log->debug($mesg->error) if $mesg->code;
 
     my @values;
     my @attributes = $entry->attributes;
@@ -217,7 +222,7 @@ sub add : Local  {
     $attr = $c->req->param('attribute');
     $value = $c->req->param('value');
     $user = $c->user->username;
-    $c->log->info("Searching for user $user");
+    $c->log->debug("Searching for user $user");
     $mesg = $c->model('User')->search("(&(objectclass=inetOrgPerson)(uid=$user))");
     $entry = $mesg->entry;
     $entry->add( $attr => $value);
@@ -232,7 +237,7 @@ sub delete : Local : Args(2) {
     my ( $self, $c, $attrname,$attrvalue) = @_;
     my ($mesg,$entry,$user);
     $user = $c->user->username;
-    $c->log->info("Searching for user $user");
+    $c->log->debug("Searching for user $user");
     $mesg = $c->model('User')->search("(&(objectclass=inetOrgPerson)(uid=$user))");
     $entry = $mesg->entry;
     $c->log->info("Deleting $attrname = $attrvalue from user $user");
@@ -253,14 +258,24 @@ sub password : Local {
 
         $c->detach;
     }
+    # Re-authenticate to check the user has the right password
+    if (not $c->authenticate({
+		    'username' => $c->user->username,
+		    'password' => $c->req->param('password'),
+	    })
+	) {
+	$c->stash(errors => [ $c->loc('Password incorrect') ]);
+	$c->detach;
+    }
     if ($c->req->param('newpassword1') eq $c->req->param('newpassword2')) {
         $newpass = $c->req->param('newpassword1');
     } else {
-        push @{${$c->stash}{'errors'}},"New passwords dont match";
+        push @{${$c->stash}{'errors'}},$c->loc('New passwords dont match');
+	$c->detach;
     }
     my $pp = Net::LDAP::Control::PasswordPolicy->new;
     $mesg = $c->model('User')->set_password(
-        oldpasswd => $c->req->param('password'),
+	    #oldpasswd => $c->req->param('password'),
         newpasswd => $newpass,
         control => [ $pp ],
       );
@@ -278,7 +293,7 @@ sub password : Local {
           ) or die $!;
         $c->session->{enc_password} = $cipher->encrypt($newpass);
         push @{${$c->stash}{'errors'}},"Password change succeeded";
-        $c->res->redirect('/user');
+	#$c->res->redirect('/user');
     }
 
 }
@@ -386,8 +401,8 @@ sub gensubpages : Private {
     my ($type) = @_;
     my @subpagenames;
     @subpagenames = (
-        { page => './', title => "Edit"},
-        { page => 'password', title => "Change password"},
+        { page => './', title => 'Edit'},
+        { page => 'password', title => 'Change password'},
       );
     return \@subpagenames;
 }