[Commotion-admin] [luci-commotion] Require existing password (#108)

Wed Nov 20 19:53:56 UTC 2013

Addresses opentechinstitute/commotion-openwrt#29

Luci has Set Password commands in 6 files, only two of which (/usr/lib/lua/luci/model/cbi/admin_system/admin.lua and /usr/lib/lua/luci/controller/admin/system.lua) are found in Commotion.

admin.lua has been rewritten to show a conditional form field if a password has been set. Because admin.lua contains ssh form fields, including a section to upload an ssh key, the root password is required to make ANY changes on that page. If no password exists (as on first boot), the existing password field will not be shown or required.

system.lua contained an action_passwd field that did not seem to be used. That function has been removed.

The command line passwd command does not yet require an existing password.

Patches should be submitted to luci.

To test:
1. On first boot, click the "set a password" option in the alert box (not quickstart). You will be prompted for a password as the page loads (all admin pages request a password), but the page itself should only show fields for the new password and confirmation, not an existing password.
2. Set a root password. The change should be successful.
3. Run quickstart.
4. Click the Administration icon at the bottom of the page, then click the System > Administration link. You should see a section requiring the existing root password.
5. Enter the correct password and change the root password. Confirm that the change was successful by logging in via ssh.
6. Enter the correct password and make a change to dropbear. Confirm that the change was successful by viewing /etc/config/dropbear.
7. Enter an incorrect password and make a change to dropbear. Confirm that changes were rejected by viewing /etc/config/dropbear.
8. Enter an incorrect password and change the root password. Confirm that changes were rejected by logging in via ssh.

You can merge this Pull Request by running:

  git pull https://github.com/opentechinstitute/luci-commotion require-existing-password

Or you can view, comment on it, or merge it online at:

  https://github.com/opentechinstitute/luci-commotion/pull/108

-- Commit Summary --

  * Patches to require existing admin password for password change
  * Fixed -p option in password patches
  * Fixed nil value error on conditional check
  * Last commit patched against wrong revision
  * Fixed nil value error on conditional check
  * Last commit patched against wrong revision
  * Fixed formvalue issue introduced in 4015be89

-- File Changes --

    M files/etc/uci-defaults/luci-mod-commotion (10)
    A files/usr/share/commotion/patches/admin.oldpasswd.patch (91)
    A files/usr/share/commotion/patches/system.oldpasswd.patch (27)

-- Patch Links --

https://github.com/opentechinstitute/luci-commotion/pull/108.patch
https://github.com/opentechinstitute/luci-commotion/pull/108.diff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.chambana.net/pipermail/commotion-admin/attachments/20131120/f89de6a9/attachment.html>