Merge pull request #4199 from normanjaeckel/FixResetPassword

Fix reset password
This commit is contained in:
Emanuel Schütze 2019-01-28 21:26:46 +01:00 committed by GitHub
commit 0d8cbbaab9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 33 additions and 32 deletions

View File

@ -34,7 +34,7 @@ matrix:
script:
- flake8 openslides tests
- isort --check-only --diff --recursive openslides tests
#- black --check --diff --py36 openslides tests
- black --check --diff --py36 openslides tests
- python -m mypy openslides/ tests/
- python -W ignore -m pytest --cov --cov-fail-under=70

View File

@ -20,7 +20,7 @@ Core:
- Fixed autoupdate system for related objects [#4140].
- Add a change-id system to get only new elements [#3938].
- Switch from Yarn back to npm [#3964].
- Added password reset link (password reset via email) [#3914].
- Added password reset link (password reset via email) [#3914, #4199].
- Added global history mode [#3977, #4141].
- Projector refactoring [4119, #4130].

View File

@ -40,6 +40,4 @@ class Migration(migrations.Migration):
dependencies = [("core", "0013_auto_20190119_1641")]
operations = [
migrations.RunPython(change_font_default_path),
]
operations = [migrations.RunPython(change_font_default_path)]

View File

@ -235,17 +235,13 @@ class User(RESTModelMixin, PermissionsMixin, AbstractBaseUser):
try:
message = message.format(**message_format)
except KeyError as err:
raise ValidationError(
{"detail": f"Invalid property {err}."}
)
raise ValidationError({"detail": f"Invalid property {err}."})
subject_format = format_dict({"event_name": config["general_event_name"]})
try:
subject = subject.format(**subject_format)
except KeyError as err:
raise ValidationError(
{"detail": f"Invalid property {err}."}
)
raise ValidationError({"detail": f"Invalid property {err}."})
# Create an email and send it.
email = mail.EmailMessage(

View File

@ -603,29 +603,36 @@ class PasswordResetView(APIView):
"""
Loop over all users and send emails.
"""
if not (
has_perm(request.user, "users.can_change_password")
or has_perm(request.user, "users.can_manage")
):
self.permission_denied(request)
to_email = request.data.get("email")
for user in self.get_users(to_email):
current_site = get_current_site(request)
site_name = current_site.name
context = {
"email": to_email,
"site_name": site_name,
"protocol": "https" if self.use_https else "http",
"domain": current_site.domain,
"path": "/login/reset-password-confirm/",
"user_id": urlsafe_base64_encode(force_bytes(user.pk)).decode(),
"token": default_token_generator.make_token(user),
"username": user.get_username(),
}
if has_perm(user, "users.can_change_password") or has_perm(
user, "users.can_manage"
):
context = {
"email": to_email,
"site_name": site_name,
"protocol": "https" if self.use_https else "http",
"domain": current_site.domain,
"path": "/login/reset-password-confirm/",
"user_id": urlsafe_base64_encode(force_bytes(user.pk)).decode(),
"token": default_token_generator.make_token(user),
"username": user.get_username(),
}
body = self.get_email_body(**context)
else:
# User is not allowed to reset his permission. Send only short message.
body = f"""
You do not have permission to reset your password at {site_name}.
Please contact your local administrator.
Your username, in case you've forgotten: {user.get_username()}
"""
# Send a django.core.mail.EmailMessage to `to_email`.
subject = f"Password reset for {site_name}"
subject = "".join(subject.splitlines())
body = self.get_email_body(**context)
from_email = None # TODO: Add nice from_email here.
email_message = mail.EmailMessage(subject, body, from_email, [to_email])
email_message.send()
@ -675,11 +682,6 @@ class PasswordResetConfirmView(APIView):
http_method_names = ["post"]
def post(self, request, *args, **kwargs):
if not (
has_perm(request.user, "users.can_change_password")
or has_perm(request.user, "users.can_manage")
):
self.permission_denied(request)
uidb64 = request.data.get("user_id")
token = request.data.get("token")
password = request.data.get("password")
@ -690,6 +692,11 @@ class PasswordResetConfirmView(APIView):
user = self.get_user(uidb64)
if user is None:
raise ValidationError({"detail": "User does not exist."})
if not (
has_perm(user, "users.can_change_password")
or has_perm(user, "users.can_manage")
):
self.permission_denied(request)
if not default_token_generator.check_token(user, token):
raise ValidationError({"detail": "Invalid token."})
try: