no more password in session. adding jid now asks for jid password

3 files changed, 33 insertions, 36 deletions

diff --git a/py-bin/jabberman.py b/py-bin/jabberman.py
index e27a23e..d85144a 100644
--- a/py-bin/jabberman.py
+++ b/py-bin/jabberman.py
@@ -256,18 +256,19 @@ class JabberManager:
 	def __init__(self, session):
 		self.jadb = JabberDB()
 		self.session = session
-		self.current_user, self.authenticated = None, False
+		self.current_user = None
 		
 	def get_user(self):
 		return self.current_user
 		
 	def authenticate(self):
-		if self.authenticated == True:
-			return True 
-		if (not "uid" in self.session) or (not "pass" in self.session):
+		if not self.current_user and "uid" in self.session:
+			self.current_user = self.jadb.get_web_user(self.session["uid"])
+		
+		if self.current_user:
+			return (True, self.current_user)
+		else:
 			return (False, "Nicht angemeldet.")
-		ok, status_or_user = self.login(self.session["uid"], self.session["pass"])
-		return (ok, status_or_user)
 		
 	def login(self, user_id, password):
 		ok, status = self.check_user_id(user_id)
@@ -276,16 +277,15 @@ class JabberManager:
 		
 		self.current_user = self.jadb.login_user(user_id, password)
 		if self.current_user:
-			self.__set_session(user_id, password = password)
+			self.__set_session(user_id)
 		else:
 			self.__clear_session()
 			return (False, "Benutzername oder Passwort falsch.")
 
-		self.authenticated = True
 		return (True, self.current_user)
 		
 	def logout(self):
-		self.current_user, self.authenticated = None, False
+		self.current_user = None
 		self.__clear_session()
 	
 	def prepare_user(self, user_id):
@@ -323,8 +323,8 @@ class JabberManager:
 
 		ok, status_or_user = self.jadb.activate_user(user_id, password, token) 
 		if ok:
-			self.current_user, self.authenticated = status_or_user, True
-			self.__set_session(user_id, password = password)
+			self.current_user = status_or_user
+			self.__set_session(user_id)
 		else:
 			self.__clear_session()
 			return (False, status_or_user)
@@ -332,18 +332,14 @@ class JabberManager:
 		return (True, status)
 		
 	def change_password(self, jid, password):
-		if not self.authenticated:
+		if not self.current_user:
 			return (False, "Zugriff verweigert.")
 		
 		user_id = self.current_user.email
 		ok, status = self.jadb.change_jid_password(user_id, jid, password)
 		if ok:
-			if jid == self.current_user.get_primary_jid():
-				self.__set_session(user_id, password = password)
 			return (True, "Passwort erfolgreich geaendert.")
 		else:
-			if jid == self.current_user.get_primary_jid():
-				self.__clear_session()
 			return (False, status)
 
 	def is_acceptable_password(self, password, password2):
@@ -362,27 +358,22 @@ class JabberManager:
 		default_acc = WebUser.derive_primary_jid(user_id)
 		return filter(lambda acc: acc.jid != default_acc, self.get_account_list(user_id))
 
-	def add_account(self, jabber_id):
-		if not self.authenticated:
+	def add_account(self, jabber_id, password):
+		if not self.current_user:
 			return (False, "Zugriff verweigert.")
-			
+
 		ok, status = JabberManager.check_jabber_id(jabber_id)
 		if not ok:
 			return (False, status)
 		
-		try:
-			password = self.session["pass"]
-		except Exception:
-			return (False, "Zugriff verweigert.")
-		
-		ok, status = self.jadb.add_account(self.current_user.email, jabber_id, self.session["pass"], check_only = True)
+		ok, status = self.jadb.add_account(self.current_user.email, jabber_id, password, check_only = True)
 		if not ok:
 			return (False, status)
 		
-		return self.jadb.add_account(self.current_user.email, jabber_id, self.session["pass"])
+		return self.jadb.add_account(self.current_user.email, jabber_id, password)
 		
 	def remove_account(self, jabber_id):
-		if not self.authenticated:
+		if not self.current_user:
 			return (False, "Zugriff verweigert.")
 			
 		ok, status = JabberManager.check_jabber_id(jabber_id)
@@ -399,19 +390,15 @@ class JabberManager:
 		
 		return self.jadb.remove_account(user_id, jabber_id)
 		
-	def __set_session(self, user_id, password = None, token = None):
+	def __set_session(self, user_id, token = None):
 		self.__clear_session()
 		self.session["uid"] = user_id
-		if password:
-			self.session["pass"] = password
 		if token:
 			self.session["tok"] = token
 		
 	def __clear_session(self):
 		if self.session.get("uid"):
 			del(self.session["uid"])
-		if self.session.get("pass"):
-			del(self.session["pass"])
 		if self.session.get("token"):
 			del(self.session["tok"])
 
diff --git a/py-bin/setup.py b/py-bin/setup.py
index 49f8980..b2e8fbf 100644
--- a/py-bin/setup.py
+++ b/py-bin/setup.py
@@ -58,7 +58,7 @@ class SetupMixIn:
 		user = self.__authenticate(req)
 		if not user:
 			return
-			
+
 		last_err = req.params.get("error", "")
 		domains = config.extra_domains
 		
@@ -73,12 +73,20 @@ class SetupMixIn:
 		
 		domain = req.params.get("domain", "")
 		account = req.params.get("name", "") + "@" + domain
-		
+		password = req.params.get("password", "")
+		password2 = req.params.get("password2", "")
+
 		if domain not in config.extra_domains:
 			self.error_page(req, "Zugriff verweigert.")
 			return
-		
-		ok, status = self.jman.add_account(account)
+
+		ok, status = self.jman.is_acceptable_password(password, password2)
+		if not ok:
+			url = self.make_url([("cmd","add_account_form"), ("error", status)])
+			self.redirect_to(req, url)
+			return
+
+		ok, status = self.jman.add_account(account, password)
 		if not ok:
 			url = self.make_url([("cmd","add_account_form"), ("error", status)])
 			self.redirect_to(req, url)
diff --git a/py-bin/templates/add_account_form.em b/py-bin/templates/add_account_form.em
index ae88204..1fb8324 100644
--- a/py-bin/templates/add_account_form.em
+++ b/py-bin/templates/add_account_form.em
@@ -10,6 +10,8 @@
       @[end for]
     </select>
   </p>
+  <p>Passwort: <input type="password" name="password"/></p>
+  <p>Passwort bestätigen: <input type="password" name="password2"/></p>
   <p><input type="reset" value="Zurücksetzen"/>
   <input type="submit" name="submitted" value="Erstellen"/></p>
 </form>