Merge pull request #4199 from normanjaeckel/FixResetPassword

Fix reset password
This commit is contained in:
Emanuel Schütze 2019-01-28 21:26:46 +01:00 committed by GitHub
commit 0d8cbbaab9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 33 additions and 32 deletions

View File

@ -34,7 +34,7 @@ matrix:
script: script:
- flake8 openslides tests - flake8 openslides tests
- isort --check-only --diff --recursive openslides tests - isort --check-only --diff --recursive openslides tests
#- black --check --diff --py36 openslides tests - black --check --diff --py36 openslides tests
- python -m mypy openslides/ tests/ - python -m mypy openslides/ tests/
- python -W ignore -m pytest --cov --cov-fail-under=70 - python -W ignore -m pytest --cov --cov-fail-under=70

View File

@ -20,7 +20,7 @@ Core:
- Fixed autoupdate system for related objects [#4140]. - Fixed autoupdate system for related objects [#4140].
- Add a change-id system to get only new elements [#3938]. - Add a change-id system to get only new elements [#3938].
- Switch from Yarn back to npm [#3964]. - Switch from Yarn back to npm [#3964].
- Added password reset link (password reset via email) [#3914]. - Added password reset link (password reset via email) [#3914, #4199].
- Added global history mode [#3977, #4141]. - Added global history mode [#3977, #4141].
- Projector refactoring [4119, #4130]. - Projector refactoring [4119, #4130].

View File

@ -40,6 +40,4 @@ class Migration(migrations.Migration):
dependencies = [("core", "0013_auto_20190119_1641")] dependencies = [("core", "0013_auto_20190119_1641")]
operations = [ operations = [migrations.RunPython(change_font_default_path)]
migrations.RunPython(change_font_default_path),
]

View File

@ -235,17 +235,13 @@ class User(RESTModelMixin, PermissionsMixin, AbstractBaseUser):
try: try:
message = message.format(**message_format) message = message.format(**message_format)
except KeyError as err: except KeyError as err:
raise ValidationError( raise ValidationError({"detail": f"Invalid property {err}."})
{"detail": f"Invalid property {err}."}
)
subject_format = format_dict({"event_name": config["general_event_name"]}) subject_format = format_dict({"event_name": config["general_event_name"]})
try: try:
subject = subject.format(**subject_format) subject = subject.format(**subject_format)
except KeyError as err: except KeyError as err:
raise ValidationError( raise ValidationError({"detail": f"Invalid property {err}."})
{"detail": f"Invalid property {err}."}
)
# Create an email and send it. # Create an email and send it.
email = mail.EmailMessage( email = mail.EmailMessage(

View File

@ -603,15 +603,13 @@ class PasswordResetView(APIView):
""" """
Loop over all users and send emails. Loop over all users and send emails.
""" """
if not (
has_perm(request.user, "users.can_change_password")
or has_perm(request.user, "users.can_manage")
):
self.permission_denied(request)
to_email = request.data.get("email") to_email = request.data.get("email")
for user in self.get_users(to_email): for user in self.get_users(to_email):
current_site = get_current_site(request) current_site = get_current_site(request)
site_name = current_site.name site_name = current_site.name
if has_perm(user, "users.can_change_password") or has_perm(
user, "users.can_manage"
):
context = { context = {
"email": to_email, "email": to_email,
"site_name": site_name, "site_name": site_name,
@ -622,10 +620,19 @@ class PasswordResetView(APIView):
"token": default_token_generator.make_token(user), "token": default_token_generator.make_token(user),
"username": user.get_username(), "username": user.get_username(),
} }
body = self.get_email_body(**context)
else:
# User is not allowed to reset his permission. Send only short message.
body = f"""
You do not have permission to reset your password at {site_name}.
Please contact your local administrator.
Your username, in case you've forgotten: {user.get_username()}
"""
# Send a django.core.mail.EmailMessage to `to_email`. # Send a django.core.mail.EmailMessage to `to_email`.
subject = f"Password reset for {site_name}" subject = f"Password reset for {site_name}"
subject = "".join(subject.splitlines()) subject = "".join(subject.splitlines())
body = self.get_email_body(**context)
from_email = None # TODO: Add nice from_email here. from_email = None # TODO: Add nice from_email here.
email_message = mail.EmailMessage(subject, body, from_email, [to_email]) email_message = mail.EmailMessage(subject, body, from_email, [to_email])
email_message.send() email_message.send()
@ -675,11 +682,6 @@ class PasswordResetConfirmView(APIView):
http_method_names = ["post"] http_method_names = ["post"]
def post(self, request, *args, **kwargs): def post(self, request, *args, **kwargs):
if not (
has_perm(request.user, "users.can_change_password")
or has_perm(request.user, "users.can_manage")
):
self.permission_denied(request)
uidb64 = request.data.get("user_id") uidb64 = request.data.get("user_id")
token = request.data.get("token") token = request.data.get("token")
password = request.data.get("password") password = request.data.get("password")
@ -690,6 +692,11 @@ class PasswordResetConfirmView(APIView):
user = self.get_user(uidb64) user = self.get_user(uidb64)
if user is None: if user is None:
raise ValidationError({"detail": "User does not exist."}) raise ValidationError({"detail": "User does not exist."})
if not (
has_perm(user, "users.can_change_password")
or has_perm(user, "users.can_manage")
):
self.permission_denied(request)
if not default_token_generator.check_token(user, token): if not default_token_generator.check_token(user, token):
raise ValidationError({"detail": "Invalid token."}) raise ValidationError({"detail": "Invalid token."})
try: try: