From 1a4ced47cf8ef13d28ad3795850dd7ea39b6373e Mon Sep 17 00:00:00 2001
From: konrad <konrad@6e3c4bff-ac9f-4ac1-96c5-d2ea494d3e33>
Date: Mon, 10 Aug 2009 19:38:42 +0000
Subject: [PATCH] move response status into header
 enable change of own password

git-svn-id: https://silmor.de/svn/softmagic/smoke/trunk@330 6e3c4bff-ac9f-4ac1-96c5-d2ea494d3e33
---
 src/overview.cpp              |   24 ++++++++-----------
 src/wbase/WTransaction.cpp    |    6 +++++
 src/wbase/WTransaction.h      |    2 +-
 wob/user.wolf                 |    1 +
 woc/phpout.cpp                |    1 -
 woc/qtout.cpp                 |    7 ++---
 www/inc/machine/session.php   |   51 +++++++++++++----------------------------
 www/inc/wbase/transaction.php |   28 +---------------------
 8 files changed, 39 insertions(+), 81 deletions(-)

diff --git a/src/overview.cpp b/src/overview.cpp
index cd538e8..9c78545 100644
--- a/src/overview.cpp
+++ b/src/overview.cpp
@@ -381,13 +381,12 @@ MOverview::MOverview(QString pk)
 
 void MOverview::updateEvents()
 {
-	QList<MOEvent>evl;
-	try{
-		evl=req->queryGetAllEvents().getevents();
-	}catch(WException e){
-		qDebug("Error getting all events (%s): %s",e.component().toAscii().data(),e.error().toAscii().data());
+	MTGetAllEvents gae=req->queryGetAllEvents();
+	if(gae.stage()!=gae.Success){
+		qDebug("Error getting all events (%s): %s",gae.errorType().toAscii().data(),gae.errorString().toAscii().data());
 		return;
 	}
+	QList<MOEvent>evl=gae.getevents();
 	eventmodel->clear();
 	eventmodel->insertColumns(0,6);
 	eventmodel->setHorizontalHeaderLabels(QStringList()<<tr("Start Time")<<tr("Title")<<tr("Free")<<tr("Reserved")<<tr("Sold")<<tr("Capacity"));
@@ -606,13 +605,13 @@ void MOverview::editUserHosts()
 }
 
 void MOverview::setMyPassword()
-{/*TODO
+{
 	MPasswordChange pc(this);
 	if(pc.exec()==QDialog::Accepted){
-		QString e=req->changeMyPassword(pc.oldPassword(),pc.newPassword());
-		if(e!="")
-			QMessageBox::warning(this,tr("Warning"),tr("Error setting password: %1").arg(e));
-	}*/
+		MTChangeMyPassword cmp=MTChangeMyPassword::query(pc.oldPassword(),pc.newPassword());
+		if(cmp.hasError())
+			QMessageBox::warning(this,tr("Warning"),tr("Error setting password: %1").arg(cmp.errorString()));
+	}
 }
 void MOverview::setUserPassword()
 {/*TODO
@@ -1549,10 +1548,7 @@ void MOverview::doBackup()
 	int gens=set.value("backupgenerations",3).toInt();
 	//get data
 	MTBackup bc;
-	try{bc=MTBackup::query();}catch(WException e){
-		QMessageBox::warning(this,tr("Warning"),tr("Error while executing backup (%1): %2").arg(e.component()).arg(e.error()));
-		return;
-	}
+	bc=MTBackup::query();
 	if(bc.stage()!=bc.Success){
 		QMessageBox::warning(this,tr("Warning"),tr("Backup failed with error (%2): %1").arg(bc.errorString()).arg(bc.errorType()));
 		return;
diff --git a/src/wbase/WTransaction.cpp b/src/wbase/WTransaction.cpp
index 099b26a..a153a00 100644
--- a/src/wbase/WTransaction.cpp
+++ b/src/wbase/WTransaction.cpp
@@ -113,12 +113,16 @@ QByteArray WTransaction::executeQuery(QString hreq,QByteArray data)
 	if(loglvl>WInterface::LogMinimal)
 		log=QString("Request %3 with header:\n%1\n\nRequest Body:\n%2\n<---->\n").arg(hrh.toString()).arg(esc(data)).arg(m_httpid);
 	qDebug("started req %i",m_httpid);
+	
+	/////////////////////////////////////////////////////////////////////
 	//start loop
 	QTimer tmr;
 	tmr.setSingleShot(true);tmr.start(iface->webTimeout()*1000);
 	connect(&tmr,SIGNAL(timeout()),this,SLOT(webTimeout()));
 	loop.exec();
 	tmr.stop();tmr.disconnect(SIGNAL(timeout()),this,SLOT(webTimeout()));
+	/////////////////////////////////////////////////////////////////////
+	
 	//process result
 	if(m_stage==Error && m_errtype=="_timeout"){
 		//it did not finish yet, caught a timeout.
@@ -138,6 +142,8 @@ QByteArray WTransaction::executeQuery(QString hreq,QByteArray data)
 		return QByteArray();
 	}
 	QHttpResponseHeader rsph=req.lastResponse();
+	m_wobstatus=rsph.value("X-WobResponse-Status");
+	m_wobstatus=m_wobstatus.replace("\"","").trimmed().toLower();
 	//check for high level error
 	if(rsph.statusCode()!=200){
 		m_errstr="HTTP Error, return code "+QString::number(rsph.statusCode())+" "+rsph.reasonPhrase();
diff --git a/src/wbase/WTransaction.h b/src/wbase/WTransaction.h
index 4ebb71e..8de263a 100644
--- a/src/wbase/WTransaction.h
+++ b/src/wbase/WTransaction.h
@@ -46,7 +46,7 @@ class WTransaction:public QObject
 		void webFinished();
 	protected:
 		Stage m_stage;
-		QString m_errtype,m_errstr,m_iface;
+		QString m_errtype,m_errstr,m_iface,m_wobstatus;
 		int m_httpid;
 };
 
diff --git a/wob/user.wolf b/wob/user.wolf
index dadbf4b..e2545e9 100644
--- a/wob/user.wolf
+++ b/wob/user.wolf
@@ -113,6 +113,7 @@
 			<Var name="oldpassword" type="string"/>
 			<Var name="newpassword" type="string"/>
 		</Input>
+		<Call lang="php" method="Session::instance()->setMyPasswd($this);"/>
 		<Output/>
 	</Transaction>
 	
diff --git a/woc/phpout.cpp b/woc/phpout.cpp
index 9eb00e5..da91d02 100644
--- a/woc/phpout.cpp
+++ b/woc/phpout.cpp
@@ -863,7 +863,6 @@ QString WocPHPServerOut::trnOutput(const WocTransaction&trn)
 	QString code="\t/*start of output encoding*/\n";
 	code+="\ttry{\n\t\t$xml=new DOMDocument;\n";
 	code+="\t\t$root=$xml->createElement(\"WobResponse\");\n";
-	code+="\t\t$root->setAttribute(\"status\",$this->statusString());\n";
 	for(int i=0;i<sl.size();i++){
 		QString t=trn.outputType(sl[i]);
 		if(trn.isAttributeType(t)){
diff --git a/woc/qtout.cpp b/woc/qtout.cpp
index 469cb13..c6047b6 100644
--- a/woc/qtout.cpp
+++ b/woc/qtout.cpp
@@ -634,8 +634,7 @@ QString WocQtClientOut::trnOutput(const WocTransaction&trn)
 	code+="\t\tm_stage=Error;m_errtype=\"_iface\";m_errstr=QString(\"XML result parser error line %1 col %2: %3\").arg(eln).arg(ecl).arg(emsg);\n\t}\n";
 	code+="\troot=doc.documentElement();\n";
 	//decide where to go, error handling
-	code+="\tQString stat=root.attribute(\"status\");\n";
-	code+="\tif(stat!=\"ok\"){\n\t\tm_stage=Error;m_errtype=\"_server\";m_errstr=\"server error\";\n";
+	code+="\tif(m_wobstatus!=\"ok\"){\n\t\tm_stage=Error;m_errtype=\"_server\";m_errstr=\"unknown server error\";\n";
 	code+="\t\tQDomNodeList nl=root.elementsByTagName(\"Error\");\n";
 	code+="\t\tif(nl.size()==0)return;\n";
 	code+="\t\ttmp=nl.at(0).toElement();\n";
@@ -655,7 +654,7 @@ QString WocQtClientOut::trnOutput(const WocTransaction&trn)
 			if(trn.isListType(t)){
 				code+="\tfor(int i=0;i<nl.size();i++){\n";
 				if(trn.isObjectType(t)){
-					code+="\t\tout_"+sl[i]+".append("+qtobjtype(trn,sl[i],Out)+"(nl.at(i).toElement()));\n";
+					code+="\t\ttry{out_"+sl[i]+".append("+qtobjtype(trn,sl[i],Out)+"(nl.at(i).toElement()));}catch(WException e){m_stage=Error;m_errtype=e.component();m_errstr=e.error();}\n";
 				}else if(trn.isIntType(t)){
 					code+="\t\tout_"+sl[i]+".append(nl.at(i).toElement().text().toInt());\n";
 				}else if(trn.isBoolType(t)){
@@ -667,7 +666,7 @@ QString WocQtClientOut::trnOutput(const WocTransaction&trn)
 			}else{
 				code+="\tif(nl.size()>0){\n";
 				if(trn.isObjectType(t)){
-					code+="\t\tout_"+sl[i]+"="+qtobjtype(trn,sl[i],Out)+"(nl.at(0).toElement());\n";
+					code+="\t\ttry{out_"+sl[i]+"="+qtobjtype(trn,sl[i],Out)+"(nl.at(0).toElement());}catch(WException e){m_stage=Error;m_errtype=e.component();m_errstr=e.error();}\n";
 				}else{//can only be string
 					code+="\t\tout_"+sl[i]+"=nl.at(0).toElement().text();\n";
 				}
diff --git a/www/inc/machine/session.php b/www/inc/machine/session.php
index 1916e41..6281986 100644
--- a/www/inc/machine/session.php
+++ b/www/inc/machine/session.php
@@ -171,47 +171,28 @@ class Session
 	}
 	
 	/**set my own password*/
-	public function setMyPasswd($txt)
+	public function setMyPasswd($trans)
 	{
-		//check whether I really can do that
-		if(!$this->isAuthenticated()){
-			header("X-MagicSmoke-Status: Unauthenticated");
-			die(tr("Not authenticated. Can't change password."));
-		}
-		//parse XML
-		$dom=new DOMDocument;
-		if(!$dom->loadXML($txt)){
-			header("X-MagicSmoke-Status: SyntaxError");
-			die(tr("unable to parse XML data"));
-		}
-		$nl=$dom->getElementsByTagName("SetMyPasswd");
-		if($nl->length!=1){
-			header("X-MagicSmoke-Status: SyntaxError");
-			die(tr("expected exactly one passwd element"));
-		}
-		$spw=$nl->item(0);
-		$old=$spw->getAttribute("oldpwd");
-		$nwp=$spw->getAttribute("newpwd");
+		$old=$trans->getoldpassword();
+		$nwp=$trans->getnewpassword();
 		//sanity check
-		if($nwp==""){
-			header("X-MagicSmoke-Status: SyntaxError");
-			die(tr("cannot set an empty password"));
-		}
+		if($nwp=="")$trans->abortWithError(tr("cannot set an empty password"));
 		//check old password
 		global $db;
-		$res=$db->select("users","passwd","uname=".$db->escapeString($this->user));
-		if(count($res)!=1){
-			header("X-MagicSmoke-Status: Error");
-			die(tr("Ooops. Unable to find user. You have been deleted."));
-		}
-		if($old!=$res[0]["passwd"]){
-			header("X-MagicSmoke-Status: Error");
-			deleteSession();
-			die(tr("Wrong password. Session hijacked, terminating it."));
+		$res=$db->select("user","passwd","uname=".$db->escapeString($this->user));
+		if(count($res)!=1)
+			$trans->abortWithError(tr("Ooops. Unable to find user. You have been deleted."));
+		$splt=explode(" ",$res[0]["passwd"]);
+		if(count($splt)!=2)
+			$trans->abortWithError(tr("Ooops. Internal storage error - cannot verify old password."));
+		$vrfy=sha1($splt[0].$old);
+		if($vrfy!=$splt[1]){
+			$trans->abortWithError(tr("Wrong password. Request denied."));
 		}
 		//set new password
-		$db->update("users",array("passwd"=>$nwp),"uname=".$db->escapeString($this->user));
-		header("X-MagicSmoke-Status: Ok");
+		$salt=getSalt();
+		$pwh=sha1($salt.$nwp);
+		$db->update("user",array("passwd"=>($salt." ".$pwh)),"uname=".$db->escapeString($this->user));
 	}
 	
 	/**checks whether user can execute this transaction, returns true on success; it always returns true for admins*/
diff --git a/www/inc/wbase/transaction.php b/www/inc/wbase/transaction.php
index 5fc248e..3dd1365 100644
--- a/www/inc/wbase/transaction.php
+++ b/www/inc/wbase/transaction.php
@@ -17,11 +17,6 @@ class WobTransactionBase {
 	protected $tinput;
 	protected $aoutput;
 	protected $toutput;
-	protected $astatus=0;
-	protected $aerror;
-	
-	const Ok=0;
-	const Error=1;
 	
 	/**called to determine the correct transaction, aborts the script if there is none.*/
 	static public function getTransactionName(){
@@ -75,31 +70,12 @@ class WobTransactionBase {
 	}
 	
 	/**called to abort a transactions flow*/
-	public function abortWithError($type,$text){
+	public function abortWithError($type,$text=""){
+		if($text==""){$text=$type;$type="server";}
 		header("X-WobResponse-Status: Error");
 		print("<WobResponse status=\"error\"><Error type=\"".xq($type)."\">".xq($text)."</Error></WobResponse>\n");
 		exit();
 	}
-	
-	/**returns the status of the transaction as string*/
-	public function statusString()
-	{
-		switch($this->astatus){
-			case Ok:return "ok";
-			case Error:return "error";
-			default:return "unknown";
-		}
-	}
-	
-	/**sets the status of the transaction*/
-	public function setStatus($s)
-	{
-		if($s<0 && $s>1)throw Exception("Illegal Status Code ".$s);
-		$this->astatus=$s;
-	}
-	
-	/**returns the status of the transaction*/
-	public function status(){return $this->astatus;}
 };
 
 ?>
\ No newline at end of file
-- 
1.7.2.5