diff options
Diffstat (limited to 'src/db')
| -rw-r--r-- | src/db/rest/rest.sql | 1 | ||||
| -rw-r--r-- | src/db/rest/user/api_update_password.sql | 44 | ||||
| -rw-r--r-- | src/db/rest/user/api_user_update.sql | 20 |
3 files changed, 45 insertions, 20 deletions
diff --git a/src/db/rest/rest.sql b/src/db/rest/rest.sql index 2b71ebe..6c3fb7d 100644 --- a/src/db/rest/rest.sql +++ b/src/db/rest/rest.sql @@ -26,6 +26,7 @@ GRANT USAGE ON SCHEMA _api TO rest_anon, rest_user; \i /db/rest/user/api_user_insert.sql; \i /db/rest/user/api_user_update.sql; \i /db/rest/user/api_user_delete.sql; +\i /db/rest/user/api_update_password.sql; -- post \i /db/rest/post/api_post.sql; diff --git a/src/db/rest/user/api_update_password.sql b/src/db/rest/user/api_update_password.sql new file mode 100644 index 0000000..34cc1ac --- /dev/null +++ b/src/db/rest/user/api_update_password.sql @@ -0,0 +1,44 @@ +CREATE FUNCTION api.update_password( + current_password TEXT, + new_password TEXT +) +RETURNS void +LANGUAGE plpgsql VOLATILE +AS $BODY$ +DECLARE + _user_id INTEGER; + _real_password TEXT; +BEGIN + _user_id = _api.get_user_id(); + + PERFORM _api.validate_text( + _text => new_password, + _column => 'password', + _min => 1, + _max => 256 + ); + + SELECT password + INTO _real_password + FROM admin.user + WHERE id = _user_id; + + IF _real_password <> current_password THEN + PERFORM _api.raise( + _msg => 'api_invalid_password' + ); + END IF; + + UPDATE + admin.user + SET + "password" = new_password + WHERE + id = _user_id; +END +$BODY$; + +GRANT EXECUTE ON FUNCTION api.update_password(TEXT, TEXT) + TO rest_user; +GRANT SELECT, UPDATE ON TABLE admin.user + TO rest_user; diff --git a/src/db/rest/user/api_user_update.sql b/src/db/rest/user/api_user_update.sql index 2e7cd50..c26c680 100644 --- a/src/db/rest/user/api_user_update.sql +++ b/src/db/rest/user/api_user_update.sql @@ -32,25 +32,6 @@ BEGIN _changed = TRUE; END IF; - -- password - SELECT password - INTO OLD.password - FROM admin.user - WHERE id = OLD.id; - - NEW.password = COALESCE(NEW.password, OLD.password); - NEW.password := _api.trim(NEW.password); - PERFORM _api.validate_text( - _text => NEW.password, - _column => 'password', - _min => 1, - _max => 256 - ); - - IF NEW.password IS DISTINCT FROM OLD.password THEN - _changed = TRUE; - END IF; - -- first name NEW.first_name = COALESCE(NEW.first_name, OLD.first_name); NEW.first_name := _api.trim(NEW.first_name); @@ -138,7 +119,6 @@ BEGIN IF _changed THEN UPDATE admin.user SET username = NEW.username, - password = NEW.password, first_name = NEW.first_name, last_name = NEW.last_name, middle_name = NEW.middle_name, |