Merge pull request #4131 from normanjaeckel/PasswordPerm

Added new permission to set password.
2019-01-19 14:33:10 +01:00 · 2019-01-19 14:33:10 +01:00 · a895481cef
commit a895481cef
parent 27cb63174e 4da87d520d
5 changed files with 37 additions and 1 deletions
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@ -40,6 +40,7 @@ Motions:
 User:
 - Added new admin group which grants all permissions. Users of existing group
   'Admin' or 'Staff' are move to the new group during migration [#3859].
+ - Added new permission to set its own password [#4131].
 - Added gender field [#4124].


--- a/openslides/users/migrations/0009_auto_20190119_0941.py
+++ b/openslides/users/migrations/0009_auto_20190119_0941.py
@ -0,0 +1,23 @@
+# Generated by Django 2.1.5 on 2019-01-19 08:41
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('users', '0008_user_gender'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='user',
+            options={
+                'default_permissions': (), 'ordering': ('last_name', 'first_name', 'username'),
+                'permissions': (
+                    ('can_see_name', 'Can see names of users'),
+                    ('can_see_extra_data', 'Can see extra data of users (e.g. present and comment)'),
+                    ('can_change_password', 'Can change its own password'),
+                    ('can_manage', 'Can manage users'))},
+        ),
+    ]
--- a/openslides/users/models.py
+++ b/openslides/users/models.py
@ -170,6 +170,7 @@ class User(RESTModelMixin, PermissionsMixin, AbstractBaseUser):
                "can_see_extra_data",
                "Can see extra data of users (e.g. present and comment)",
            ),
+            ("can_change_password", "Can change its own password"),
            ("can_manage", "Can manage users"),
        )
        ordering = ("last_name", "first_name", "username")
--- a/openslides/users/signals.py
+++ b/openslides/users/signals.py
@ -59,6 +59,7 @@ def create_builtin_groups_and_admin(**kwargs):
        "motions.can_manage_metadata",
        "motions.can_see",
        "motions.can_support",
+        "users.can_change_password",
        "users.can_manage",
        "users.can_see_extra_data",
        "users.can_see_name",
@ -89,6 +90,7 @@ def create_builtin_groups_and_admin(**kwargs):
        permission_dict["mediafiles.can_see"],
        permission_dict["motions.can_see"],
        permission_dict["users.can_see_name"],
+        permission_dict["users.can_change_password"],
    )
    group_default = Group(pk=GROUP_DEFAULT_PK, name="Default")
    group_default.save(skip_autoupdate=True)
@ -114,6 +116,7 @@ def create_builtin_groups_and_admin(**kwargs):
        permission_dict["motions.can_create_amendments"],
        permission_dict["motions.can_support"],
        permission_dict["users.can_see_name"],
+        permission_dict["users.can_change_password"],
    )
    group_delegates = Group(pk=3, name="Delegates")
    group_delegates.save(skip_autoupdate=True)
@ -138,6 +141,7 @@ def create_builtin_groups_and_admin(**kwargs):
        permission_dict["mediafiles.can_see"],
        permission_dict["mediafiles.can_manage"],
        permission_dict["mediafiles.can_upload"],
+        permission_dict["mediafiles.can_see_hidden"],
        permission_dict["motions.can_see"],
        permission_dict["motions.can_create"],
        permission_dict["motions.can_create_amendments"],
@ -146,7 +150,7 @@ def create_builtin_groups_and_admin(**kwargs):
        permission_dict["users.can_see_name"],
        permission_dict["users.can_manage"],
        permission_dict["users.can_see_extra_data"],
-        permission_dict["mediafiles.can_see_hidden"],
+        permission_dict["users.can_change_password"],
    )
    group_staff = Group(pk=4, name="Staff")
    group_staff.save(skip_autoupdate=True)
@ -165,6 +169,7 @@ def create_builtin_groups_and_admin(**kwargs):
        permission_dict["motions.can_create_amendments"],
        permission_dict["motions.can_support"],
        permission_dict["users.can_see_name"],
+        permission_dict["users.can_change_password"],
    )
    group_committee = Group(pk=5, name="Committees")
    group_committee.save(skip_autoupdate=True)
--- a/openslides/users/views.py
+++ b/openslides/users/views.py
@ -571,6 +571,8 @@ class SetPasswordView(APIView):

    def post(self, request, *args, **kwargs):
        user = request.user
+        if not (has_perm(user, "users.can_change_password") or has_perm(user, "users.can_manage")):
+            self.permission_denied(request)
        if user.check_password(request.data["old_password"]):
            try:
                validate_password(request.data.get("new_password"), user=user)
@ -600,6 +602,8 @@ class PasswordResetView(APIView):
        """
        Loop over all users and send emails.
        """
+        if not (has_perm(request.user, "users.can_change_password") or has_perm(request.user, "users.can_manage")):
+            self.permission_denied(request)
        to_email = request.data.get("email")
        for user in self.get_users(to_email):
            current_site = get_current_site(request)
@ -667,6 +671,8 @@ class PasswordResetConfirmView(APIView):
    http_method_names = ["post"]

    def post(self, request, *args, **kwargs):
+        if not (has_perm(request.user, "users.can_change_password") or has_perm(request.user, "users.can_manage")):
+            self.permission_denied(request)
        uidb64 = request.data.get("user_id")
        token = request.data.get("token")
        password = request.data.get("password")