Verify Password of Selected User | new password function on mariadb?

Frappe Framework
1

I have a document in which has a button which opens a dialog box asking for password verification to set a check field ,

But not the password for the current user , its basically the supervisor , so he will select his user name(from drop down) and enter password , if verified --success ,–

So i connot use the frappe.verify_password function as it verifies current users password .
i did it in the old version using a verification from db queries , below was y function .

@frappe.whitelist()
def dis_auth(user,password):
	manager=frappe.db.sql("select u.name from tabUser u, `tabHas Role` ur where u.name=ur.parent and ur.role='Sales Master Manager' and u.name='%s'"%(user))
	if manager:
		auth = frappe.db.sql("""select name, `password`, salt from `__Auth`
			where doctype='User' and fieldname='password' and encrypted=0 and name='%s'
			and (
				(salt is null and `password`=password('%s'))
				or `password`=password(concat('%s', salt))
			)"""%(user,password,password), as_dict=True)
		if auth:
			return "Yes"
		else:
			frappe.msgprint("Invalid Password.")
			return "No"
	frappe.msgprint("Selected User is not Sales Master Manager")
	return "No"

and it worked perfectly, the but db structure has changed ,
and the query
frappe.db.sql("""select name, `password`, salt from `__Auth` where doctype='User' and fieldname='password' and encrypted=0 and name='%s' and ( (salt is null and `password`=password('%s')) or `password`=password(concat('%s', salt)) )"""%(user,password,password), as_dict=True)

does not work anymore , even though i added the salt column again , i think the encryption is handled in the password () is different from how User passwords are encrypted in db currently .

as i tested in the bench mariadb , the password function uses mda5 or sha1 , while all the passwords in the password field of auth table are encrypted in sha256 .

So

  1. How can i verify if a password is similar to one in database ?
  2. is there any easier way to achieve this now , or this is way is already optimal ?

Thanks

2

Is there no possible solution for it ,
how can i get authentication of a say sales manager for a specific thing ?

like in prev version , discount on sales invoice needs to be approved by the manager , so on pressing button , manager will put his userid and password ,
which was getting validated from above function , it does not work any more .

any alternative way i can achieve this verification ?

3

Hi,

I think check_password function is what you are looking for.

4

Im trying to achieve the same thing using client script but no luck. Any solution to this?

5

Here is the check password function that I used for my project

def check_password(user, pwd, doctype=‘User’, fieldname=‘password’):
‘’‘Checks if user and password are correct, else raises frappe.AuthenticationError’‘’

auth = frappe.db.sql("""select `name`, `password` from `__Auth`
	where `doctype`=%(doctype)s and `name`=%(name)s and `fieldname`=%(fieldname)s and `encrypted`=0""",
	{'doctype': doctype, 'name': user, 'fieldname': fieldname}, as_dict=True)

if not auth or not passlibctx.verify(pwd, auth[0].password):
	frappe.msgprint("Incorrect User or Password", raise_exception=True)

return user
6

@sione
This function written in server script?

do you have any idea how to link it to client script?

7

this is how I call the server script.

if (frappe.user.has_role("System Manager")){
	alert(current_action)
    //your own event here
	return;
} else {
	var me = this;
	let d = new frappe.ui.Dialog({
		title: 'Supervisor Authorization',
		fields: [{
				label: 'Supervisor',
				fieldname: 'supervisor_name',
				fieldtype: 'Link',
				options: "User",
				"get_query": function () {
					return {
						query:".......api.get_all_supervisors"
					}
				},
				reqd: 1
			},
			{
				label: 'Password',
				fieldname: 'password',
				fieldtype: 'Password',
				reqd: 1
			},
		],
		primary_action_label: 'Submit',
		primary_action(values) {
			frappe.call({
				method: ".......api.check_password",
				args: {
					'user': values.supervisor_name,
					'pwd': values.password,
					'doctype': "User",
					'filedname': "password"
			},
					callback: function(r) {
                    //Your own event here
					d.hide();
						return;
				},
				error: function() {
				}
			})
		}
	});
d.show();

}

8

App Versions

{
	"asset_management": "0.0.1",
	"frappe": "13.41.3"
}

Route

Form/Password wallet/Instagram-0192

Trackeback

Traceback (most recent call last):
  File "apps/frappe/frappe/app.py", line 69, in application
    response = frappe.api.handle()
  File "apps/frappe/frappe/api.py", line 55, in handle
    return frappe.handler.handle()
  File "apps/frappe/frappe/handler.py", line 38, in handle
    data = execute_cmd(cmd)
  File "apps/frappe/frappe/handler.py", line 76, in execute_cmd
    return frappe.call(method, **frappe.form_dict)
  File "apps/frappe/frappe/__init__.py", line 1457, in call
    return fn(*args, **newargs)
  File "apps/asset_management/asset_management/asset_management/doctype/password_wallet/password_wallet.py", line 21, in check_password
    if not auth or not passlibctx.verify(pwd, auth[0].password):
NameError: name 'passlibctx' is not defined

Request Data

{
	"type": "POST",
	"args": {
		"user": "Administrator",
		"pwd": "ss",
		"doctype": "User",
		"filedname": "password"
	},
	"headers": {},
	"error_handlers": {},
	"url": "/api/method/asset_management.asset_management.doctype.password_wallet.password_wallet.check_password"
}

Response Data

{
	"exception": "NameError: name 'passlibctx' is not defined"
}

I am getting this name error,??

9

@Alan_B
Just import the passlibctx

from frappe.utils.password import passlibctx