kallithea Changeset - 0a0595b15c6c

Changeset - 0a0595b15c6c

Parent rev.

Child rev.

[Not reviewed]

default

0 3 0

Mads Kiilerich - 10 years ago 2015-07-31 15:44:07
madski@unity3d.com

auth: make sure that users only can manage their own primary data if self registration is enabled

With the UI showing exactly which fields are used and which are ignored, there
is no reason to show the 'External Source of Record' warning.

3 files changed with 4 insertions and 8 deletions:

kallithea/controllers/admin/my_account.py

kallithea/templates/admin/my_account/my_account_profile.html

kallithea/templates/admin/users/user_edit_profile.html

0 comments (0 inline, 0 general)

kallithea/controllers/admin/my_account.py

➞

Show inline comments

@@ @@ -57,96 +57,100 @@ class MyAccountController(BaseController @@
     """REST Controller styled on the Atom Publishing Protocol"""
     # To properly map this controller, ensure your config/routing.py
     # file has a resource setup:
     #     map.resource('setting', 'settings', controller='admin/settings',
     #         path_prefix='/admin', name_prefix='admin_')
     @LoginRequired()
     @NotAnonymous()
     def __before__(self):
         super(MyAccountController, self).__before__()
     def __load_data(self):
         c.user = User.get(self.authuser.user_id)
         if c.user.username == User.DEFAULT_USER:
             h.flash(_("You can't edit this user since it's"
                       " crucial for entire application"), category='warning')
             return redirect(url('users'))
         c.EXTERN_TYPE_INTERNAL = EXTERN_TYPE_INTERNAL
     def _load_my_repos_data(self, watched=False):
         if watched:
             admin = False
             repos_list = [x.follows_repository for x in
                           Session().query(UserFollowing).filter(
                               UserFollowing.user_id ==
                               self.authuser.user_id).all()]
         else:
             admin = True
             repos_list = Session().query(Repository)\
                          .filter(Repository.user_id ==
                                  self.authuser.user_id)\
                          .order_by(func.lower(Repository.repo_name)).all()
         repos_data = RepoModel().get_repos_as_dict(repos_list=repos_list,
                                                    admin=admin)
         #json used to render the grid
         return json.dumps(repos_data)
     def my_account(self):
         """
         GET /_admin/my_account Displays info about my account
         """
         # url('my_account')
         c.active = 'profile'
         self.__load_data()
         c.perm_user = AuthUser(user_id=self.authuser.user_id)
         c.ip_addr = self.ip_addr
         managed_fields = auth_modules.get_managed_fields(c.user)
         def_user_perms = User.get_default_user().AuthUser.permissions['global']
         if 'hg.register.none' in def_user_perms:
             managed_fields.extend(['username', 'firstname', 'lastname', 'email'])
         c.readonly = lambda n: 'readonly' if n in managed_fields else None
         defaults = c.user.get_dict()
         update = False
         if request.POST:
             _form = UserForm(edit=True,
                              old_data={'user_id': self.authuser.user_id,
                                        'email': self.authuser.email})()
             form_result = {}
             try:
                 post_data = dict(request.POST)
                 post_data['new_password'] = ''
                 post_data['password_confirmation'] = ''
                 form_result = _form.to_python(post_data)
                 # skip updating those attrs for my account
                 skip_attrs = ['admin', 'active', 'extern_type', 'extern_name',
                               'new_password', 'password_confirmation',
                              ] + managed_fields
                 UserModel().update(self.authuser.user_id, form_result,
                                    skip_attrs=skip_attrs)
                 h.flash(_('Your account was updated successfully'),
                         category='success')
                 Session().commit()
                 update = True
             except formencode.Invalid, errors:
                 return htmlfill.render(
                     render('admin/my_account/my_account.html'),
                     defaults=errors.value,
                     errors=errors.error_dict or {},
                     prefix_error=False,
                     encoding="UTF-8",
                     force_defaults=False)
             except Exception:
                 log.error(traceback.format_exc())
                 h.flash(_('Error occurred during update of user %s') \
                         % form_result.get('username'), category='error')
         if update:
             return redirect('my_account')
         return htmlfill.render(
             render('admin/my_account/my_account.html'),
             defaults=defaults,
             encoding="UTF-8",
             force_defaults=False)
     def my_account_password(self):
         c.active = 'password'

kallithea/templates/admin/my_account/my_account_profile.html

➞

Show inline comments

 ${h.form(url('my_account'), method='post')}
     <div class="form">
          <div class="field">
            <div class="gravatar_box">
                <div class="gravatar">
                  ${h.gravatar(c.user.email)}
                </div>
                 <p>
                 %if c.visual.use_gravatar:
                 <strong>${_('Change your avatar at')} <a href="http://gravatar.com">gravatar.com</a></strong>
                 <br/>${_('Using')} ${c.user.email}
                 %else:
                 <strong>${_('Avatars are disabled')}</strong>
                 <br/>${c.user.email or _('Missing email, please update your user email address.')}
                     [${_('Current IP')}: ${c.ip_addr}]
                 %endif
                </p>
            </div>
          </div>
         <div class="fields">
             %if c.user.extern_type != c.EXTERN_TYPE_INTERNAL:
                 <strong>${_('Your user is in an external Source of Record; some details cannot be managed here')}.</strong>
             %endif
              <div class="field">
                 <div class="label">
                     <label for="username">${_('Username')}:</label>
                 </div>
                 <div class="input">
                   ${h.text('username',class_='medium', readonly=c.readonly('username'))}
                 </div>
              </div>
              <div class="field">
                 <div class="label">
                     <label for="name">${_('First Name')}:</label>
                 </div>
                 <div class="input">
                     ${h.text('firstname',class_="medium", readonly=c.readonly('firstname'))}
                 </div>
              </div>
              <div class="field">
                 <div class="label">
                     <label for="lastname">${_('Last Name')}:</label>
                 </div>
                 <div class="input">
                     ${h.text('lastname',class_="medium", readonly=c.readonly('lastname'))}
                 </div>
              </div>
              <div class="field">
                 <div class="label">
                     <label for="email">${_('Email')}:</label>
                 </div>
                 <div class="input">
                     ${h.text('email',class_="medium", readonly=c.readonly('email'))}
                 </div>
              </div>
             <div class="buttons">
               ${h.submit('save',_('Save'),class_="btn")}
               ${h.reset('reset',_('Reset'),class_="btn")}
             </div>
         </div>
     </div>
 ${h.end_form()}

kallithea/templates/admin/users/user_edit_profile.html

➞

Show inline comments

 ${h.form(url('update_user', id=c.user.user_id),method='put')}
 <div class="form">
         <div class="field">
            <div class="gravatar_box">
                 <div class="gravatar">${h.gravatar(c.user.email)}</div>
                 <p>
                 %if c.visual.use_gravatar:
                 <strong>${_('Change avatar at')} <a href="http://gravatar.com">gravatar.com</a></strong>
                 <br/>${_('Using')} ${c.user.email}
                 %else:
                 <strong>${_('Avatars are disabled')}</strong>
                 <br/>${c.user.email or _('Missing email, please update this user email address.')}
                         ##show current ip just if we show ourself
                         %if c.authuser.username == c.user.username:
                             [${_('Current IP')}: ${c.ip_addr}]
                         %endif
                 %endif
            </div>
         </div>
         <div class="fields">
             %if c.user.extern_type != c.EXTERN_TYPE_INTERNAL:
              <div class="field">
                <strong>${_('This user is in an external Source of Record (%s); some details cannot be managed here.' % c.user.extern_type)}.</strong>
              </div>
             %endif
              <div class="field">
                 <div class="label">
                     <label for="username">${_('Username')}:</label>
                 </div>
                 <div class="input">
                   ${h.text('username',class_='medium', readonly=c.readonly('username'))}
                 </div>
              </div>
              <div class="field">
                 <div class="label">
                     <label for="email">${_('Email')}:</label>
                 </div>
                 <div class="input">
                     ${h.text('email',class_='medium', readonly=c.readonly('email'))}
                 </div>
              </div>
              <div class="field">
                 <div class="label">
                     <label for="extern_type">${_('Source of Record')}:</label>
                 </div>
                 <div class="input">
                     ${h.text('extern_type',class_='medium',readonly="readonly")}
                 </div>
              </div>
              <div class="field">
                 <div class="label">
                     <label for="extern_name">${_('Name in Source of Record')}:</label>
                 </div>
                 <div class="input">
                     ${h.text('extern_name',class_='medium',readonly="readonly")}
                 </div>
              </div>
              <div class="field">
                 <div class="label">
                     <label for="new_password">${_('New password')}:</label>
                 </div>
                 <div class="input">
                     ${h.password('new_password',class_='medium',readonly=c.readonly('password'))}
                 </div>
              </div>
              <div class="field">
                 <div class="label">

0 comments (0 inline, 0 general)