Merge pull request #4199 from normanjaeckel/FixResetPassword

Fix reset password
2019-01-28 21:26:46 +01:00 · 2019-01-28 21:26:46 +01:00 · 0d8cbbaab9
commit 0d8cbbaab9
parent 793066935e 39244a0ec9
5 changed files with 33 additions and 32 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -34,7 +34,7 @@ matrix:
      script:
        - flake8 openslides tests
        - isort --check-only --diff --recursive openslides tests
-        #- black --check --diff --py36 openslides tests
+        - black --check --diff --py36 openslides tests
        - python -m mypy openslides/ tests/
        - python -W ignore -m pytest --cov --cov-fail-under=70

--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@ -20,7 +20,7 @@ Core:
 - Fixed autoupdate system for related objects [#4140].
 - Add a change-id system to get only new elements [#3938].
 - Switch from Yarn back to npm [#3964].
- - Added password reset link (password reset via email) [#3914].
+ - Added password reset link (password reset via email) [#3914, #4199].
 - Added global history mode [#3977, #4141].
 - Projector refactoring [4119, #4130].

--- a/openslides/core/migrations/0014_changed_default_font.py
+++ b/openslides/core/migrations/0014_changed_default_font.py
@ -40,6 +40,4 @@ class Migration(migrations.Migration):

    dependencies = [("core", "0013_auto_20190119_1641")]

-    operations = [
-        migrations.RunPython(change_font_default_path),
-    ]
+    operations = [migrations.RunPython(change_font_default_path)]
--- a/openslides/users/models.py
+++ b/openslides/users/models.py
@ -235,17 +235,13 @@ class User(RESTModelMixin, PermissionsMixin, AbstractBaseUser):
        try:
            message = message.format(**message_format)
        except KeyError as err:
-            raise ValidationError(
-                {"detail": f"Invalid property {err}."}
-            )
+            raise ValidationError({"detail": f"Invalid property {err}."})

        subject_format = format_dict({"event_name": config["general_event_name"]})
        try:
            subject = subject.format(**subject_format)
        except KeyError as err:
-            raise ValidationError(
-                {"detail": f"Invalid property {err}."}
-            )
+            raise ValidationError({"detail": f"Invalid property {err}."})

        # Create an email and send it.
        email = mail.EmailMessage(
--- a/openslides/users/views.py
+++ b/openslides/users/views.py
@ -603,15 +603,13 @@ class PasswordResetView(APIView):
        """
        Loop over all users and send emails.
        """
-        if not (
-            has_perm(request.user, "users.can_change_password")
-            or has_perm(request.user, "users.can_manage")
-        ):
-            self.permission_denied(request)
        to_email = request.data.get("email")
        for user in self.get_users(to_email):
            current_site = get_current_site(request)
            site_name = current_site.name
+            if has_perm(user, "users.can_change_password") or has_perm(
+                user, "users.can_manage"
+            ):
                context = {
                    "email": to_email,
                    "site_name": site_name,
@ -622,10 +620,19 @@ class PasswordResetView(APIView):
                    "token": default_token_generator.make_token(user),
                    "username": user.get_username(),
                }
+                body = self.get_email_body(**context)
+            else:
+                # User is not allowed to reset his permission. Send only short message.
+                body = f"""
+                    You do not have permission to reset your password at {site_name}.
+
+                    Please contact your local administrator.
+
+                    Your username, in case you've forgotten: {user.get_username()}
+                    """
            # Send a django.core.mail.EmailMessage to `to_email`.
            subject = f"Password reset for {site_name}"
            subject = "".join(subject.splitlines())
-            body = self.get_email_body(**context)
            from_email = None  # TODO: Add nice from_email here.
            email_message = mail.EmailMessage(subject, body, from_email, [to_email])
            email_message.send()
@ -675,11 +682,6 @@ class PasswordResetConfirmView(APIView):
    http_method_names = ["post"]

    def post(self, request, *args, **kwargs):
-        if not (
-            has_perm(request.user, "users.can_change_password")
-            or has_perm(request.user, "users.can_manage")
-        ):
-            self.permission_denied(request)
        uidb64 = request.data.get("user_id")
        token = request.data.get("token")
        password = request.data.get("password")
@ -690,6 +692,11 @@ class PasswordResetConfirmView(APIView):
        user = self.get_user(uidb64)
        if user is None:
            raise ValidationError({"detail": "User does not exist."})
+        if not (
+            has_perm(user, "users.can_change_password")
+            or has_perm(user, "users.can_manage")
+        ):
+            self.permission_denied(request)
        if not default_token_generator.check_token(user, token):
            raise ValidationError({"detail": "Invalid token."})
        try: