Updates the current user's own password. Accepts a JSON request body with only a "password" field. The username is derived from the current session, preventing privilege escalation attacks where a user might attempt to change another user's password. Returns: Empty response
()
| 130 | @api_blueprint.route('/currentUser/password', methods=['PUT']) |
| 131 | @required_auth(auth.Role.OPERATOR) |
| 132 | def current_user_password_put(): |
| 133 | """Updates the current user's own password. |
| 134 | |
| 135 | Accepts a JSON request body with only a "password" field. The username is |
| 136 | derived from the current session, preventing privilege escalation attacks |
| 137 | where a user might attempt to change another user's password. |
| 138 | |
| 139 | Returns: |
| 140 | Empty response on success, error object otherwise. |
| 141 | """ |
| 142 | current_username = session.get_username() |
| 143 | if not current_username: |
| 144 | return json_response.error( |
| 145 | NotAuthenticatedError('Not authenticated')), 401 |
| 146 | |
| 147 | try: |
| 148 | password = request_parsers.password.parse_password(flask.request) |
| 149 | except request_parsers.errors.Error as e: |
| 150 | return json_response.error(e), 400 |
| 151 | |
| 152 | try: |
| 153 | auth.change_password(current_username, password) |
| 154 | except db.users.UserDoesNotExistError as e: |
| 155 | # This is a safeguard, this scenario should never occur. |
| 156 | return json_response.error(e), 404 |
| 157 | |
| 158 | # Refresh the session with the new credentials. |
| 159 | session.login(current_username) |
| 160 | |
| 161 | return json_response.success() |
| 162 | |
| 163 | |
| 164 | @api_blueprint.route('/user/password', methods=['PUT']) |
nothing calls this directly
no test coverage detected