mORMot Open Source

sag2007

Member

From: Moscow, RU

Registered: 2015-09-23

Posts: 10

Question: how to use reUserCanChangeOwnPassword

Sorry for raising this subject again, but it seems that nobody was interested (or everyone understood at once) how to use this option - to allow normal user to change their password when using per-user authentication scheme with HPPP Client-Server version of framework.

My code looks like:

//Model
======
function CreateModel : TSQLModel;
var aRights : TSQLAccessRights;
begin
  Include(aRights.AllowRemoteExecute, reUserCanChangeOwnPassword);
  Result := TSQLModel.Create([TgbTree, TgbSysUser, TSQLAuthGroup]); // TgbSysUser = class(TSQLAuthUser) //
end;

//To create client and connect
=======================
appModel := CreateGipsModel;
appClient := TSQLHttpClient.Create('localhost','8082',appModel);
appClient.SetUser(aLogin,aPass);

//To change password
=================
aUser := appClient.SessionUser;
aUser.PasswordPlain := 'NewPasswordPlain' ;
appClient.UpdateField(TgbSysUser, 'LogonName', aUser.LogonName, 'PasswordHASHHexa', aUser.PasswordHashHexa);

And it works with Admin and never works with User. I understand that I do not understand how to properly use TSQLAccessRights object. I looked and searched and read but still nothing.

Please help.

Best regards,

Sergey.

ab

Administrator

From: France

Registered: 2010-06-21

Posts: 14,240

Website

Re: Question: how to use reUserCanChangeOwnPassword

Due to security reasons, I guess you can not modify the User table using a lookup by LogonName.
You have to use the ID. Then it should work as expected.

sag2007

Member

From: Moscow, RU

Registered: 2015-09-23

Posts: 10

Re: Question: how to use reUserCanChangeOwnPassword

Thanks for prompt reply!

Meantime, if I try to get ID by whatever means (while logged in as User, like TSQLAuthUser.GetID, or .ID) the ID is always 0. For Admin it is 0 as well (edited on 19:42).

And this

assert(appClient.UpdateField(TgbSysUser, 'ID', aUser.ID, 'PasswordHASHHexa', aUser.PasswordHashHexa), 'Пароль не изменен!');

is not working, even for Admin.

So I tried update by Logon name because of that. For Admin it is working perfectly.

Once again thank you for reply.

Last edited by sag2007 (2015-12-08 16:44:57)

ab

Administrator

From: France

Registered: 2010-06-21

Posts: 14,240

Website

Re: Question: how to use reUserCanChangeOwnPassword

Try to use the plain Update() method, with all the fields, after a proper Retrieve() by logon our ID, not the UpdateField() method.

sag2007

Member

From: Moscow, RU

Registered: 2015-09-23

Posts: 10

Re: Question: how to use reUserCanChangeOwnPassword

Working with the help and source. Will revert later.

Last edited by sag2007 (2015-12-09 07:40:10)

sag2007

Member

From: Moscow, RU

Registered: 2015-09-23

Posts: 10

Re: Question: how to use reUserCanChangeOwnPassword

Well, its embarassing, but I cannot go any further.

1. function

Retrieve(aID: TID; Value: TSQLRecord; ForUpdate: boolean=false): boolean; override; 

as stated in the Docs requires ID which I do not have.

2. the example of filling parameters of the SessionUser from the manual (which exploit some undocumented capabilities of retrieve)

fClient.Retrieve('LogonName=?',[TSQLAuthUser],[aUser.LogonName], aUser);

is also working for Admin only, i.e. it does not fill all the properties of aUser object and returns false for any other user.

3. Update like

assert(fClient.Update(aUser));

is working for Admin only again.

Since there were such problems everything was tested with standard TSQLAuthUser object.

Maybe someone could devise working example on how to properly use basic per-user authentication? Including password changing mechanism for non-admin users and user manipulation?

Best regards,

Sergey

Last edited by sag2007 (2015-12-09 10:13:48)

ab

Administrator

From: France

Registered: 2010-06-21

Posts: 14,240

Website

Re: Question: how to use reUserCanChangeOwnPassword

For security reasons, only a logged user could change its own password.

Once logged, you can access the current Session, via its ID, using SessionUser.
Is not fClient.Update(SessionUser) working?

sag2007

Member

From: Moscow, RU

Registered: 2015-09-23

Posts: 10

Re: Question: how to use reUserCanChangeOwnPassword

Yes, I understand that.
Login procedure is Ok (SetUser()), for any user fClient.SessionUser has LogonName, but ID is 0, except for Admins.
And fClient.Update(fClient.SessionUser) does not work (returns false) except for Admins.

sag2007

Member

From: Moscow, RU

Registered: 2015-09-23

Posts: 10

Re: Question: how to use reUserCanChangeOwnPassword

How exactly and when UserAccessRights should be updated?

I mean when should I use this statement:

Include(fRights.AllowRemoteExecute, reUserCanChangeOwnPassword);

Best regards,
Sergey.

Last edited by sag2007 (2015-12-09 13:17:45)

sag2007

Member

From: Moscow, RU

Registered: 2015-09-23

Posts: 10

Re: Question: how to use reUserCanChangeOwnPassword

Errata

For Supervisor group members all TSQLAuthUser details are returned Ok. But they still cannot change passwords.

sag2007

Member

From: Moscow, RU

Registered: 2015-09-23

Posts: 10

Re: Question: how to use reUserCanChangeOwnPassword

The point for my interest is that I am planning to use a User field in other objects, say to have multiple recipients for a document object, for document flow process, for example, say one user assigns document to several other users of the system for review. In order to link users from TSQLAuthUser to my TMyDocument I will need their Id's, but since common User does not have rights for view of TSQLAuthUser I do not understand at all how to implement that link. In this case the point of using TSQLAuthUser as ancestor for other objects is not achievable. Then I will need to create separate table for my application purposes, to which all users will have read access, and link it somehow to TSQLAuthUsers, since I want to authenticate users using standard authentication scheme.

ab

Administrator

From: France

Registered: 2010-06-21

Posts: 14,240

Website

Re: Question: how to use reUserCanChangeOwnPassword

I've made some modifications.
See http://synopse.info/fossil/info/3ea5ab32fa

Now once authenticated, TSQLRestClientURI.SessionUser would have all its properties retrieved from the remote server.
The ID would be set, as expected.

Could you try to call fClient.Update(fClient.SessionUser) now?
Ensure that reUserCanChangeOwnPassword is set for the User group, in the corresponding TSQLAuthGroup entry.

sag2007

Member

From: Moscow, RU

Registered: 2015-09-23

Posts: 10

Re: Question: how to use reUserCanChangeOwnPassword

Will check! Thank you very much!