Merge pull request #4131 from normanjaeckel/PasswordPerm
Added new permission to set password.
This commit is contained in:
commit
a895481cef
@ -40,6 +40,7 @@ Motions:
|
||||
User:
|
||||
- Added new admin group which grants all permissions. Users of existing group
|
||||
'Admin' or 'Staff' are move to the new group during migration [#3859].
|
||||
- Added new permission to set its own password [#4131].
|
||||
- Added gender field [#4124].
|
||||
|
||||
|
||||
|
23
openslides/users/migrations/0009_auto_20190119_0941.py
Normal file
23
openslides/users/migrations/0009_auto_20190119_0941.py
Normal file
@ -0,0 +1,23 @@
|
||||
# Generated by Django 2.1.5 on 2019-01-19 08:41
|
||||
|
||||
from django.db import migrations
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
('users', '0008_user_gender'),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.AlterModelOptions(
|
||||
name='user',
|
||||
options={
|
||||
'default_permissions': (), 'ordering': ('last_name', 'first_name', 'username'),
|
||||
'permissions': (
|
||||
('can_see_name', 'Can see names of users'),
|
||||
('can_see_extra_data', 'Can see extra data of users (e.g. present and comment)'),
|
||||
('can_change_password', 'Can change its own password'),
|
||||
('can_manage', 'Can manage users'))},
|
||||
),
|
||||
]
|
@ -170,6 +170,7 @@ class User(RESTModelMixin, PermissionsMixin, AbstractBaseUser):
|
||||
"can_see_extra_data",
|
||||
"Can see extra data of users (e.g. present and comment)",
|
||||
),
|
||||
("can_change_password", "Can change its own password"),
|
||||
("can_manage", "Can manage users"),
|
||||
)
|
||||
ordering = ("last_name", "first_name", "username")
|
||||
|
@ -59,6 +59,7 @@ def create_builtin_groups_and_admin(**kwargs):
|
||||
"motions.can_manage_metadata",
|
||||
"motions.can_see",
|
||||
"motions.can_support",
|
||||
"users.can_change_password",
|
||||
"users.can_manage",
|
||||
"users.can_see_extra_data",
|
||||
"users.can_see_name",
|
||||
@ -89,6 +90,7 @@ def create_builtin_groups_and_admin(**kwargs):
|
||||
permission_dict["mediafiles.can_see"],
|
||||
permission_dict["motions.can_see"],
|
||||
permission_dict["users.can_see_name"],
|
||||
permission_dict["users.can_change_password"],
|
||||
)
|
||||
group_default = Group(pk=GROUP_DEFAULT_PK, name="Default")
|
||||
group_default.save(skip_autoupdate=True)
|
||||
@ -114,6 +116,7 @@ def create_builtin_groups_and_admin(**kwargs):
|
||||
permission_dict["motions.can_create_amendments"],
|
||||
permission_dict["motions.can_support"],
|
||||
permission_dict["users.can_see_name"],
|
||||
permission_dict["users.can_change_password"],
|
||||
)
|
||||
group_delegates = Group(pk=3, name="Delegates")
|
||||
group_delegates.save(skip_autoupdate=True)
|
||||
@ -138,6 +141,7 @@ def create_builtin_groups_and_admin(**kwargs):
|
||||
permission_dict["mediafiles.can_see"],
|
||||
permission_dict["mediafiles.can_manage"],
|
||||
permission_dict["mediafiles.can_upload"],
|
||||
permission_dict["mediafiles.can_see_hidden"],
|
||||
permission_dict["motions.can_see"],
|
||||
permission_dict["motions.can_create"],
|
||||
permission_dict["motions.can_create_amendments"],
|
||||
@ -146,7 +150,7 @@ def create_builtin_groups_and_admin(**kwargs):
|
||||
permission_dict["users.can_see_name"],
|
||||
permission_dict["users.can_manage"],
|
||||
permission_dict["users.can_see_extra_data"],
|
||||
permission_dict["mediafiles.can_see_hidden"],
|
||||
permission_dict["users.can_change_password"],
|
||||
)
|
||||
group_staff = Group(pk=4, name="Staff")
|
||||
group_staff.save(skip_autoupdate=True)
|
||||
@ -165,6 +169,7 @@ def create_builtin_groups_and_admin(**kwargs):
|
||||
permission_dict["motions.can_create_amendments"],
|
||||
permission_dict["motions.can_support"],
|
||||
permission_dict["users.can_see_name"],
|
||||
permission_dict["users.can_change_password"],
|
||||
)
|
||||
group_committee = Group(pk=5, name="Committees")
|
||||
group_committee.save(skip_autoupdate=True)
|
||||
|
@ -571,6 +571,8 @@ class SetPasswordView(APIView):
|
||||
|
||||
def post(self, request, *args, **kwargs):
|
||||
user = request.user
|
||||
if not (has_perm(user, "users.can_change_password") or has_perm(user, "users.can_manage")):
|
||||
self.permission_denied(request)
|
||||
if user.check_password(request.data["old_password"]):
|
||||
try:
|
||||
validate_password(request.data.get("new_password"), user=user)
|
||||
@ -600,6 +602,8 @@ class PasswordResetView(APIView):
|
||||
"""
|
||||
Loop over all users and send emails.
|
||||
"""
|
||||
if not (has_perm(request.user, "users.can_change_password") or has_perm(request.user, "users.can_manage")):
|
||||
self.permission_denied(request)
|
||||
to_email = request.data.get("email")
|
||||
for user in self.get_users(to_email):
|
||||
current_site = get_current_site(request)
|
||||
@ -667,6 +671,8 @@ class PasswordResetConfirmView(APIView):
|
||||
http_method_names = ["post"]
|
||||
|
||||
def post(self, request, *args, **kwargs):
|
||||
if not (has_perm(request.user, "users.can_change_password") or has_perm(request.user, "users.can_manage")):
|
||||
self.permission_denied(request)
|
||||
uidb64 = request.data.get("user_id")
|
||||
token = request.data.get("token")
|
||||
password = request.data.get("password")
|
||||
|
Loading…
Reference in New Issue
Block a user