How to check if new password is different from the actual?

[Marvix]

Hello,

when an user is changing his password, is it possible to check if it is equal to the current? and refuse it in that case?

Thanks!

[Marlysson Silva]

Yes. You can find the user logged current with : auth.user.id , and search them using the dal, i.e , db.auth_user[auth.user.id] and return the data of user, thereby verifying the field "password" ( of table )  with "form.new_password" ( name of form field that you create it.).

All this overwriting the view user/change_password ( if you don't have changed value of url retrieve password ) , and doing the operations needed.

Tip: Before submit of form user, try use .validate() at form to handled this things.

Basicaly it's this.I think :D

[Limedrop]

The function you are looking for is CRYPT.  You could but something like this in an on_validation function:

            if auth.user.password == CRYPT()(request.vars.new_password)[0]:

                form.errors.new_password = 'Cannot re-use password'

[Marvi Benedet]

Ok, thanks to the suggestions. I'll give a try!

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups "web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web2py+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Massimo Di Pierro]

Ming that the result of CRYPT()('password')[0] is not the hashed password but an object that, when converted to a string is a hashed password but when compared to a hash-ed password string, performs the comparison using the same salt and the same algorithm using the hash it is compering itself with.

To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscribe@googlegroups.com.