From 4da87d520d31c2ab5c9374f84a122034794a184a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Norman=20J=C3=A4ckel?= Date: Sat, 19 Jan 2019 09:52:13 +0100 Subject: [PATCH] Added new permission to set password. --- CHANGELOG.rst | 1 + .../migrations/0009_auto_20190119_0941.py | 23 +++++++++++++++++++ openslides/users/models.py | 1 + openslides/users/signals.py | 7 +++++- openslides/users/views.py | 6 +++++ 5 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 openslides/users/migrations/0009_auto_20190119_0941.py diff --git a/CHANGELOG.rst b/CHANGELOG.rst index b7ace92e8..2504f8e7d 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -38,6 +38,7 @@ Motions: User: - Added new admin group which grants all permissions. Users of existing group 'Admin' or 'Staff' are move to the new group during migration [#3859]. + - Added new permission to set its own password [#4131]. - Added gender field [#4124]. diff --git a/openslides/users/migrations/0009_auto_20190119_0941.py b/openslides/users/migrations/0009_auto_20190119_0941.py new file mode 100644 index 000000000..870297d3e --- /dev/null +++ b/openslides/users/migrations/0009_auto_20190119_0941.py @@ -0,0 +1,23 @@ +# Generated by Django 2.1.5 on 2019-01-19 08:41 + +from django.db import migrations + + +class Migration(migrations.Migration): + + dependencies = [ + ('users', '0008_user_gender'), + ] + + operations = [ + migrations.AlterModelOptions( + name='user', + options={ + 'default_permissions': (), 'ordering': ('last_name', 'first_name', 'username'), + 'permissions': ( + ('can_see_name', 'Can see names of users'), + ('can_see_extra_data', 'Can see extra data of users (e.g. present and comment)'), + ('can_change_password', 'Can change its own password'), + ('can_manage', 'Can manage users'))}, + ), + ] diff --git a/openslides/users/models.py b/openslides/users/models.py index 0afb4d32e..ccaba352a 100644 --- a/openslides/users/models.py +++ b/openslides/users/models.py @@ -170,6 +170,7 @@ class User(RESTModelMixin, PermissionsMixin, AbstractBaseUser): "can_see_extra_data", "Can see extra data of users (e.g. present and comment)", ), + ("can_change_password", "Can change its own password"), ("can_manage", "Can manage users"), ) ordering = ("last_name", "first_name", "username") diff --git a/openslides/users/signals.py b/openslides/users/signals.py index b40c248c0..a3ec4c636 100644 --- a/openslides/users/signals.py +++ b/openslides/users/signals.py @@ -59,6 +59,7 @@ def create_builtin_groups_and_admin(**kwargs): "motions.can_manage_metadata", "motions.can_see", "motions.can_support", + "users.can_change_password", "users.can_manage", "users.can_see_extra_data", "users.can_see_name", @@ -89,6 +90,7 @@ def create_builtin_groups_and_admin(**kwargs): permission_dict["mediafiles.can_see"], permission_dict["motions.can_see"], permission_dict["users.can_see_name"], + permission_dict["users.can_change_password"], ) group_default = Group(pk=GROUP_DEFAULT_PK, name="Default") group_default.save(skip_autoupdate=True) @@ -114,6 +116,7 @@ def create_builtin_groups_and_admin(**kwargs): permission_dict["motions.can_create_amendments"], permission_dict["motions.can_support"], permission_dict["users.can_see_name"], + permission_dict["users.can_change_password"], ) group_delegates = Group(pk=3, name="Delegates") group_delegates.save(skip_autoupdate=True) @@ -138,6 +141,7 @@ def create_builtin_groups_and_admin(**kwargs): permission_dict["mediafiles.can_see"], permission_dict["mediafiles.can_manage"], permission_dict["mediafiles.can_upload"], + permission_dict["mediafiles.can_see_hidden"], permission_dict["motions.can_see"], permission_dict["motions.can_create"], permission_dict["motions.can_create_amendments"], @@ -146,7 +150,7 @@ def create_builtin_groups_and_admin(**kwargs): permission_dict["users.can_see_name"], permission_dict["users.can_manage"], permission_dict["users.can_see_extra_data"], - permission_dict["mediafiles.can_see_hidden"], + permission_dict["users.can_change_password"], ) group_staff = Group(pk=4, name="Staff") group_staff.save(skip_autoupdate=True) @@ -165,6 +169,7 @@ def create_builtin_groups_and_admin(**kwargs): permission_dict["motions.can_create_amendments"], permission_dict["motions.can_support"], permission_dict["users.can_see_name"], + permission_dict["users.can_change_password"], ) group_committee = Group(pk=5, name="Committees") group_committee.save(skip_autoupdate=True) diff --git a/openslides/users/views.py b/openslides/users/views.py index 49fc7c65f..a12b301b4 100644 --- a/openslides/users/views.py +++ b/openslides/users/views.py @@ -571,6 +571,8 @@ class SetPasswordView(APIView): def post(self, request, *args, **kwargs): user = request.user + if not (has_perm(user, "users.can_change_password") or has_perm(user, "users.can_manage")): + self.permission_denied(request) if user.check_password(request.data["old_password"]): try: validate_password(request.data.get("new_password"), user=user) @@ -600,6 +602,8 @@ class PasswordResetView(APIView): """ Loop over all users and send emails. """ + if not (has_perm(request.user, "users.can_change_password") or has_perm(request.user, "users.can_manage")): + self.permission_denied(request) to_email = request.data.get("email") for user in self.get_users(to_email): current_site = get_current_site(request) @@ -667,6 +671,8 @@ class PasswordResetConfirmView(APIView): http_method_names = ["post"] def post(self, request, *args, **kwargs): + if not (has_perm(request.user, "users.can_change_password") or has_perm(request.user, "users.can_manage")): + self.permission_denied(request) uidb64 = request.data.get("user_id") token = request.data.get("token") password = request.data.get("password")