From 398858c34b33151f8bc4360b6274cb16cd024abc Mon Sep 17 00:00:00 2001
From: David Hoppenbrouwers <david@salt-inc.org>
Date: Sun, 9 Oct 2022 14:22:38 +0200
Subject: [PATCH] Implement password change

---
 db/sqlite.py             | 18 ++++++++++++++++++
 main.py                  | 20 ++++++++++++++++++++
 templates/user_edit.html | 10 +++++++++-
 3 files changed, 47 insertions(+), 1 deletion(-)

diff --git a/db/sqlite.py b/db/sqlite.py
index ecce394..f37317b 100644
--- a/db/sqlite.py
+++ b/db/sqlite.py
@@ -135,6 +135,24 @@ class DB:
             (username,)
         ).fetchone()
 
+    def get_user_password_by_id(self, user_id):
+        return self._db().execute('''
+            select password
+            from users
+            where user_id = ?
+            ''',
+            (user_id,)
+        ).fetchone()
+
+    def set_user_password(self, user_id, password):
+        return self.change_one('''
+            update users
+            set password = ?
+            where user_id = ?
+            ''',
+            (password, user_id)
+        )
+
     def get_user_public_info(self, user_id):
         return self._db().execute('''
             select name, about
diff --git a/main.py b/main.py
index 78e109e..95e3fd4 100644
--- a/main.py
+++ b/main.py
@@ -134,6 +134,26 @@ def user_edit():
         about = about
     )
 
+@app.route('/user/edit/password/', methods = ['POST'])
+def user_edit_password():
+    user_id = session.get('user_id')
+    if user_id is None:
+        return redirect(url_for('login'))
+
+    new = request.form['new']
+    if len(new) < 8:
+        flash('New password must be at least 8 characters long', 'error')
+    else:
+        hash, = db.get_user_password_by_id(user_id)
+        if verify_password(request.form['old'], hash):
+            if db.set_user_password(user_id, hash_password(new)):
+                flash('Updated password', 'success')
+            else:
+                flash('Failed to update password', 'error')
+        else:
+            flash('Old password does not match', 'error')
+    return redirect(url_for('user_edit'))
+
 @app.route('/user/<int:user_id>/')
 def user_info(user_id):
     name, about = db.get_user_public_info(user_id)
diff --git a/templates/user_edit.html b/templates/user_edit.html
index 3ab7193..7101861 100644
--- a/templates/user_edit.html
+++ b/templates/user_edit.html
@@ -7,7 +7,15 @@
 <tr><td>Username</td><td>{{ user.name }}</td></tr>
 <tr><td>ID</td><td>{{ user.id }}</td></tr>
 <tr><td>About</td><td><textarea name="about">{{ about }}</textarea></td></tr>
-</form>
 </table>
 <input type="submit" value="Update">
+</form>
+<br>
+<form method="post" action=edit/password/>
+<table>
+<tr><td>Old password</td><td><input type=password name=old></td></tr>
+<tr><td>New password</td><td><input type=password name=new></td></tr>
+</table>
+<input type="submit" value="Set password">
+</form>
 {% endblock %}