Assuming table db.person has a field password and the user id is stored in session.person_id
def form_factory(*a): return SQLFORM(SQLDB(None).define_table(*a))
def change_password():
if not session.authorized:
redirect(URL(r=request,f='index'))
form=form_factory('myform',
SQLField('old_password',requires=IS_NOT_EMPTY()),
SQLField('new_password',requires=IS_NOT_EMPTY()),
SQLField('new_password_again',
requires=IS_EXPR("value=='%s'"%request.vars.new_password,
error_message=T('passwords do not match'))))
if FORM.accepts(form,request.vars,session):
user=db(db.person.id==session.person_id).select()[0]
if user.password!=form.vars.old_password:
response.flash=T('invalid old password')
else:
user.update_record(password=form.vars.new_password)
response.flash=T('password updated')
return dict(form=form)