web2py change password via service call

In web2py I'd like to change password via xml-rpc call. How can I do that?

@auth.requires_login()
def call():
    return service()

@service.xmlrpc
def change_password(old_pass, new_pass, confirm_pass):
    #Validate args and then does the following
    #Borrowed from web2py tools.py source
    table_user = auth.settings.table_user 
    passfield = auth.settings.password_field
    s = db(table_use开发者_运维知识库r.id == auth.user_id) 
    d = {passfield: new_pass}
    s.update(**d) #this saves new password in plain text; why?? 
    return

By default, the password field uses the CRYPT() validator to hash the password. However, validators are applied with form submissions (when the form.accepts() method is called), not during regular .insert() and .update() operations. Before inserting the new password, you can pass it through the CRYPT validator of the auth_user.password field yourself:

d = {passfield: table_user[passfield].validate(new_pass)[0]}
s.update(**d)

Update: Changed requires[-1] to validate.

Update: This won't work in the current stable version (1.99.3), but as of the next release, you will instead be able to do:

d = {passfield: new_pass}
s.validate_and_update(**d)

The validate_and_update method already exists, but previously it only ran the validators to check for errors without transforming the submitted values (so didn't work with validators like CRYPT, which transform the submitted values). The updated version now transforms the values as well, so should work with CRYPT.