From 746dbf744b95e74ee4a3ffcb365909b4a3295712 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Norman=20J=C3=A4ckel?= <openslides@normanjaeckel.de>
Date: Sun, 20 Jan 2019 15:44:03 +0100
Subject: [PATCH] Fixed reset password views.

---
 openslides/users/views.py | 45 +++++++++++++++++++++------------------
 1 file changed, 24 insertions(+), 21 deletions(-)

diff --git a/openslides/users/views.py b/openslides/users/views.py
index b8f752928..947eb0978 100644
--- a/openslides/users/views.py
+++ b/openslides/users/views.py
@@ -603,29 +603,34 @@ class PasswordResetView(APIView):
         """
         Loop over all users and send emails.
         """
-        if not (
-            has_perm(request.user, "users.can_change_password")
-            or has_perm(request.user, "users.can_manage")
-        ):
-            self.permission_denied(request)
         to_email = request.data.get("email")
         for user in self.get_users(to_email):
             current_site = get_current_site(request)
             site_name = current_site.name
-            context = {
-                "email": to_email,
-                "site_name": site_name,
-                "protocol": "https" if self.use_https else "http",
-                "domain": current_site.domain,
-                "path": "/login/reset-password-confirm/",
-                "user_id": urlsafe_base64_encode(force_bytes(user.pk)).decode(),
-                "token": default_token_generator.make_token(user),
-                "username": user.get_username(),
-            }
+            if has_perm(user, "users.can_change_password") or has_perm(user, "users.can_manage"):
+                context = {
+                    "email": to_email,
+                    "site_name": site_name,
+                    "protocol": "https" if self.use_https else "http",
+                    "domain": current_site.domain,
+                    "path": "/login/reset-password-confirm/",
+                    "user_id": urlsafe_base64_encode(force_bytes(user.pk)).decode(),
+                    "token": default_token_generator.make_token(user),
+                    "username": user.get_username(),
+                }
+                body = self.get_email_body(**context)
+            else:
+                # User is not allowed to reset his permission. Send only short message.
+                body = f"""
+                    You do not have permission to reset your password at {site_name}.
+
+                    Please contact your local administrator.
+
+                    Your username, in case you've forgotten: {user.get_username()}
+                    """
             # Send a django.core.mail.EmailMessage to `to_email`.
             subject = f"Password reset for {site_name}"
             subject = "".join(subject.splitlines())
-            body = self.get_email_body(**context)
             from_email = None  # TODO: Add nice from_email here.
             email_message = mail.EmailMessage(subject, body, from_email, [to_email])
             email_message.send()
@@ -675,11 +680,6 @@ class PasswordResetConfirmView(APIView):
     http_method_names = ["post"]
 
     def post(self, request, *args, **kwargs):
-        if not (
-            has_perm(request.user, "users.can_change_password")
-            or has_perm(request.user, "users.can_manage")
-        ):
-            self.permission_denied(request)
         uidb64 = request.data.get("user_id")
         token = request.data.get("token")
         password = request.data.get("password")
@@ -690,6 +690,9 @@ class PasswordResetConfirmView(APIView):
         user = self.get_user(uidb64)
         if user is None:
             raise ValidationError({"detail": "User does not exist."})
+        if not (has_perm(user, "users.can_change_password")
+                or has_perm(user, "users.can_manage")):
+            self.permission_denied(request)
         if not default_token_generator.check_token(user, token):
             raise ValidationError({"detail": "Invalid token."})
         try: