Fixed reset password views.

This commit is contained in:
Norman Jäckel 2019-01-20 15:44:03 +01:00
parent 793066935e
commit 746dbf744b

View File

@ -603,15 +603,11 @@ class PasswordResetView(APIView):
"""
Loop over all users and send emails.
"""
if not (
has_perm(request.user, "users.can_change_password")
or has_perm(request.user, "users.can_manage")
):
self.permission_denied(request)
to_email = request.data.get("email")
for user in self.get_users(to_email):
current_site = get_current_site(request)
site_name = current_site.name
if has_perm(user, "users.can_change_password") or has_perm(user, "users.can_manage"):
context = {
"email": to_email,
"site_name": site_name,
@ -622,10 +618,19 @@ class PasswordResetView(APIView):
"token": default_token_generator.make_token(user),
"username": user.get_username(),
}
body = self.get_email_body(**context)
else:
# User is not allowed to reset his permission. Send only short message.
body = f"""
You do not have permission to reset your password at {site_name}.
Please contact your local administrator.
Your username, in case you've forgotten: {user.get_username()}
"""
# Send a django.core.mail.EmailMessage to `to_email`.
subject = f"Password reset for {site_name}"
subject = "".join(subject.splitlines())
body = self.get_email_body(**context)
from_email = None # TODO: Add nice from_email here.
email_message = mail.EmailMessage(subject, body, from_email, [to_email])
email_message.send()
@ -675,11 +680,6 @@ class PasswordResetConfirmView(APIView):
http_method_names = ["post"]
def post(self, request, *args, **kwargs):
if not (
has_perm(request.user, "users.can_change_password")
or has_perm(request.user, "users.can_manage")
):
self.permission_denied(request)
uidb64 = request.data.get("user_id")
token = request.data.get("token")
password = request.data.get("password")
@ -690,6 +690,9 @@ class PasswordResetConfirmView(APIView):
user = self.get_user(uidb64)
if user is None:
raise ValidationError({"detail": "User does not exist."})
if not (has_perm(user, "users.can_change_password")
or has_perm(user, "users.can_manage")):
self.permission_denied(request)
if not default_token_generator.check_token(user, token):
raise ValidationError({"detail": "Invalid token."})
try: