Fossil SCM
/json/user/save now implies/forces forceLogout=true when renaming, since renaming invalidates any active auth token. Renamed a confusing variable.
Commit
42c2a327e235da6ddb0ca3a9836d5e9e1f45da28
Parent
0c234bdd0a64c13…
1 file changed
+10
-4
+10
-4
| --- src/json_user.c | ||
| +++ src/json_user.c | ||
| @@ -148,11 +148,11 @@ | ||
| 148 | 148 | ** |
| 149 | 149 | */ |
| 150 | 150 | int json_user_update_from_json( cson_object const * pUser ){ |
| 151 | 151 | #define CSTR(X) cson_string_cstr(cson_value_get_string( cson_object_get(pUser, X ) )) |
| 152 | 152 | char const * zName = CSTR("name"); |
| 153 | - char const * zNameOrig = zName; | |
| 153 | + char const * zNameNew = zName; | |
| 154 | 154 | char * zNameFree = NULL; |
| 155 | 155 | char const * zInfo = CSTR("info"); |
| 156 | 156 | char const * zCap = CSTR("capabilities"); |
| 157 | 157 | char const * zPW = CSTR("password"); |
| 158 | 158 | cson_value const * forceLogout = cson_object_get(pUser, "forceLogout"); |
| @@ -216,19 +216,25 @@ | ||
| 216 | 216 | blob_append(&sql, " mtime=cast(strftime('%s') AS INTEGER)", -1); |
| 217 | 217 | |
| 218 | 218 | if((uid>0) && zName){ |
| 219 | 219 | /* Only change the name if the uid is explicitly set and name |
| 220 | 220 | would actually change. */ |
| 221 | - if( zNameOrig && (zName != zNameOrig) | |
| 222 | - && (0!=strcmp(zNameOrig,zName))){ | |
| 221 | + if( zNameNew && (zName != zNameNew) | |
| 222 | + && (0!=strcmp(zNameNew,zName))){ | |
| 223 | 223 | if(!g.perm.Admin && !g.perm.Setup) { |
| 224 | 224 | json_set_err( FSL_JSON_E_DENIED, |
| 225 | 225 | "Modifying user names requires 'a' or 's' privileges."); |
| 226 | 226 | goto error; |
| 227 | 227 | } |
| 228 | 228 | } |
| 229 | - blob_appendf(&sql, ", login=%Q", zNameOrig); | |
| 229 | + forceLogout = cson_value_true() | |
| 230 | + /* reminders: 1) does not allocate. | |
| 231 | + 2) we do this because changing a name | |
| 232 | + invalidates any login token because the old name | |
| 233 | + is part of the token hash. | |
| 234 | + */; | |
| 235 | + blob_appendf(&sql, ", login=%Q", zNameNew); | |
| 230 | 236 | ++gotFields; |
| 231 | 237 | } |
| 232 | 238 | |
| 233 | 239 | if( zCap ){ |
| 234 | 240 | blob_appendf(&sql, ", cap=%Q", zCap); |
| 235 | 241 |
| --- src/json_user.c | |
| +++ src/json_user.c | |
| @@ -148,11 +148,11 @@ | |
| 148 | ** |
| 149 | */ |
| 150 | int json_user_update_from_json( cson_object const * pUser ){ |
| 151 | #define CSTR(X) cson_string_cstr(cson_value_get_string( cson_object_get(pUser, X ) )) |
| 152 | char const * zName = CSTR("name"); |
| 153 | char const * zNameOrig = zName; |
| 154 | char * zNameFree = NULL; |
| 155 | char const * zInfo = CSTR("info"); |
| 156 | char const * zCap = CSTR("capabilities"); |
| 157 | char const * zPW = CSTR("password"); |
| 158 | cson_value const * forceLogout = cson_object_get(pUser, "forceLogout"); |
| @@ -216,19 +216,25 @@ | |
| 216 | blob_append(&sql, " mtime=cast(strftime('%s') AS INTEGER)", -1); |
| 217 | |
| 218 | if((uid>0) && zName){ |
| 219 | /* Only change the name if the uid is explicitly set and name |
| 220 | would actually change. */ |
| 221 | if( zNameOrig && (zName != zNameOrig) |
| 222 | && (0!=strcmp(zNameOrig,zName))){ |
| 223 | if(!g.perm.Admin && !g.perm.Setup) { |
| 224 | json_set_err( FSL_JSON_E_DENIED, |
| 225 | "Modifying user names requires 'a' or 's' privileges."); |
| 226 | goto error; |
| 227 | } |
| 228 | } |
| 229 | blob_appendf(&sql, ", login=%Q", zNameOrig); |
| 230 | ++gotFields; |
| 231 | } |
| 232 | |
| 233 | if( zCap ){ |
| 234 | blob_appendf(&sql, ", cap=%Q", zCap); |
| 235 |
| --- src/json_user.c | |
| +++ src/json_user.c | |
| @@ -148,11 +148,11 @@ | |
| 148 | ** |
| 149 | */ |
| 150 | int json_user_update_from_json( cson_object const * pUser ){ |
| 151 | #define CSTR(X) cson_string_cstr(cson_value_get_string( cson_object_get(pUser, X ) )) |
| 152 | char const * zName = CSTR("name"); |
| 153 | char const * zNameNew = zName; |
| 154 | char * zNameFree = NULL; |
| 155 | char const * zInfo = CSTR("info"); |
| 156 | char const * zCap = CSTR("capabilities"); |
| 157 | char const * zPW = CSTR("password"); |
| 158 | cson_value const * forceLogout = cson_object_get(pUser, "forceLogout"); |
| @@ -216,19 +216,25 @@ | |
| 216 | blob_append(&sql, " mtime=cast(strftime('%s') AS INTEGER)", -1); |
| 217 | |
| 218 | if((uid>0) && zName){ |
| 219 | /* Only change the name if the uid is explicitly set and name |
| 220 | would actually change. */ |
| 221 | if( zNameNew && (zName != zNameNew) |
| 222 | && (0!=strcmp(zNameNew,zName))){ |
| 223 | if(!g.perm.Admin && !g.perm.Setup) { |
| 224 | json_set_err( FSL_JSON_E_DENIED, |
| 225 | "Modifying user names requires 'a' or 's' privileges."); |
| 226 | goto error; |
| 227 | } |
| 228 | } |
| 229 | forceLogout = cson_value_true() |
| 230 | /* reminders: 1) does not allocate. |
| 231 | 2) we do this because changing a name |
| 232 | invalidates any login token because the old name |
| 233 | is part of the token hash. |
| 234 | */; |
| 235 | blob_appendf(&sql, ", login=%Q", zNameNew); |
| 236 | ++gotFields; |
| 237 | } |
| 238 | |
| 239 | if( zCap ){ |
| 240 | blob_appendf(&sql, ", cap=%Q", zCap); |
| 241 |