kallithea Changeset - 6c7efed20abc

Changeset - 6c7efed20abc

Parent rev.

Child rev.

[Not reviewed]

default

0 3 0

Mads Kiilerich - 10 years ago 2015-11-27 01:46:59
madski@unity3d.com

auth: only local passwords can be reset

Do for password reset what de9a3152c206 did for password change.

3 files changed with 31 insertions and 13 deletions:

kallithea/model/user.py

kallithea/templates/email_templates/password_reset.html

kallithea/templates/email_templates/password_reset.txt

0 comments (0 inline, 0 general)

kallithea/model/user.py

➞

Show inline comments

@@ @@ -278,6 +278,11 @@ class UserModel(BaseModel): @@
         from kallithea.lib.hooks import log_delete_user
         log_delete_user(user.get_dict(), cur_user)
     def can_change_password(self, user):
         from kallithea.lib import auth_modules
         managed_fields = auth_modules.get_managed_fields(user)
         return 'password' not in managed_fields
     def get_reset_password_token(self, user, timestamp, session_id):
         """
         The token is a 40-digit hexstring, calculated as a HMAC-SHA1.
@@ @@ -332,18 +337,21 @@ class UserModel(BaseModel): @@
         user = User.get_by_email(user_email)
         timestamp = int(time.time())
         if user is not None:
             log.debug('password reset user %s found', user)
             token = self.get_reset_password_token(user,
                                                   timestamp,
                                                   h.authentication_token())
             # URL must be fully qualified; but since the token is locked to
             # the current browser session, we must provide a URL with the
             # current scheme and hostname, rather than the canonical_url.
             link = h.url('reset_password_confirmation', qualified=True,
                          email=user_email,
                          timestamp=timestamp,
                          token=token)
             if self.can_change_password(user):
                 log.debug('password reset user %s found', user)
                 token = self.get_reset_password_token(user,
                                                       timestamp,
                                                       h.authentication_token())
                 # URL must be fully qualified; but since the token is locked to
                 # the current browser session, we must provide a URL with the
                 # current scheme and hostname, rather than the canonical_url.
                 link = h.url('reset_password_confirmation', qualified=True,
                              email=user_email,
                              timestamp=timestamp,
                              token=token)
             else:
                 log.debug('password reset user %s found but was managed', user)
                 token = link = None
             reg_type = EmailNotificationModel.TYPE_PASSWORD_RESET
             body = EmailNotificationModel().get_email_tmpl(
                 reg_type, 'txt',
@@ @@ -397,6 +405,8 @@ class UserModel(BaseModel): @@
         from kallithea.lib import auth
         user = User.get_by_email(user_email)
         if user is not None:
             if not self.can_change_password(user):
                 raise Exception('trying to change password for external user')
             user.password = auth.get_crypt_password(new_passwd)
             Session().add(user)
             Session().commit()

kallithea/templates/email_templates/password_reset.html

➞

Show inline comments

@@ @@ -4,9 +4,13 @@ @@
 <h4>${_('Hello %s') % user}</h4>
 <p>${_('We have received a request to reset the password for your account.')}</p>
 %if reset_token is None:
 <p>${_('This account is however managed outside this system and the password cannot be changed here.')}</p>
 %else:
 <p>${_('To set a new password, click the following link')}:</p>
 <p><a href="${reset_url}">${reset_url}</a></p>
 <p>${_("Should you not be able to use the link above, please type the following code into the password reset form")}: <code>${reset_token}</code></p>
 %endif
 <p>${_("If it weren't you who requested the password reset, just disregard this message.")}</p>

kallithea/templates/email_templates/password_reset.txt

➞

Show inline comments

@@ @@ -3,11 +3,15 @@ @@
 ${_('Hello %s') % user|n,unicode}
 ${_('We have received a request to reset the password for your account..')|n,unicode}
 ${_('We have received a request to reset the password for your account.')|n,unicode}
 %if reset_token is None:
 ${_('This account is however managed outside this system and the password cannot be changed here.')|n,unicode}
 %else:
 ${_('To set a new password, click the following link')|n,unicode}:
 ${reset_url|n,unicode}
 ${_("Should you not be able to use the link above, please type the following code into the password reset form")|n,unicode}: ${reset_token|n,unicode}
 %endif
 ${_("If it weren't you who requested the password reset, just disregard this message.")|n,unicode}

0 comments (0 inline, 0 general)