portal/django_passresetview.py

   1 # -*- coding: utf-8 -*-
   2 #
   3 # portal/views.py: views for the portal application
   4 # This file is part of the Manifold project.
   5 #
   6 # Author:
   7 #   Mohammed Yasin Rahman <mohammed-yasin.rahman@lip6.fr>
   8 # Copyright 2014, UPMC Sorbonne Universités / LIP6
   9 #
  10 # This program is free software; you can redistribute it and/or modify it under
  11 # the terms of the GNU General Public License as published by the Free Software
  12 # Foundation; either version 3, or (at your option) any later version.
  13 #
  14 # This program is distributed in the hope that it will be useful, but WITHOUT
  15 # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  16 # FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
  17 # details.
  18 #
  19 # You should have received a copy of the GNU General Public License along with
  20 # this program; see the file COPYING.  If not, write to the Free Software
  21 # Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  22
  23
  24
  25
  26
  27 """
  28 View Description:
  29
  30 Allows a user to reset their password by generating a one-time use link that can be used to reset the password, and sending that link to the user's
  31 registered email address.
  32
  33 If the email address provided does not exist in the system, this view won't send an email, but the user won't receive any error message either.
  34 This prevents information leaking to potential attackers. If you want to provide an error message in this case, you can subclass PasswordResetForm
  35 and use the password_reset_form argument.
  36
  37 Users flagged with an unusable password - see set_unusable_password() - aren't allowed to request a password reset to prevent misuse when using an external
  38 authentication source like LDAP. Note that they won't receive any error message since this would expose their account's existence but no mail will be sent either.
  39
  40 More Detail: https://docs.djangoproject.com/en/dev/topics/auth/default/#topics-auth-creating-users
  41 """
  42
  43
  44
  45 try:
  46     from urllib.parse import urlparse, urlunparse
  47 except ImportError:     # Python 2
  48     from urlparse import urlparse, urlunparse
  49
  50 from django.conf import settings
  51 from django.core.urlresolvers import reverse
  52 from django.http import HttpResponseRedirect, QueryDict
  53 from django.template.response import TemplateResponse
  54 from django.utils.http import base36_to_int, is_safe_url
  55 from django.utils.translation import ugettext as _
  56 from django.shortcuts import resolve_url
  57 from django.views.decorators.debug import sensitive_post_parameters
  58 from django.views.decorators.cache import never_cache
  59 from django.views.decorators.csrf import csrf_protect
  60
  61 # Avoid shadowing the login() and logout() views below.
  62 from django.contrib.auth import REDIRECT_FIELD_NAME, login as auth_login, logout as auth_logout, get_user_model
  63 from django.contrib.auth.decorators import login_required
  64 from portal.forms import PasswordResetForm, SetPasswordForm
  65 from django.contrib.auth.tokens import default_token_generator
  66 from django.contrib.sites.models import get_current_site
  67 from django.contrib.auth.hashers import identify_hasher
  68
  69 ##
  70 import os.path, re
  71 import json
  72
  73 from random                     import choice
  74
  75 from django.contrib             import messages
  76 from django.views.generic       import View
  77 from django.shortcuts           import render
  78 from django.http                        import HttpResponse, HttpResponseRedirect
  79
  80 from unfold.loginrequired       import FreeAccessView
  81 from ui.topmenu                 import topmenu_items_live
  82
  83 from manifoldapi.manifoldapi    import execute_admin_query
  84 from manifold.core.query        import Query
  85 from portal.actions             import manifold_update_user
  86
  87 from portal.forms               import PassResetForm
  88 from portal.actions             import manifold_update_user
  89
  90 from myslice.theme import ThemeView
  91
  92 # 4 views for password reset:
  93 # - password_reset sends the mail
  94 # - password_reset_done shows a success message for the above
  95 # - password_reset_confirm checks the link the user clicked and
  96 #   prompts for a new password
  97 # - password_reset_complete shows a success message for the above
  98
  99 @csrf_protect
 100 def password_reset(request, is_admin_site=False,
 101                    template_name='password_reset_form.html',
 102                    email_template_name='password_reset_email.html',
 103                    subject_template_name='registration/password_reset_subject.txt',
 104                    password_reset_form=PasswordResetForm,
 105                    token_generator=default_token_generator,
 106                    post_reset_redirect=None,
 107                    from_email=None,
 108                    current_app=None,
 109                    extra_context=None):
 110
 111     themeview = ThemeView()
 112     themeview.template_name = template_name
 113
 114     if post_reset_redirect is None:
 115         post_reset_redirect = reverse('portal.django_passresetview.password_reset_done')
 116     if request.method == "POST":
 117         form = password_reset_form(request.POST)
 118         if form.is_valid():
 119
 120             ### email check in manifold DB ###
 121             email = form.cleaned_data['email'].lower() # email inserted on the form
 122             user_query  = Query().get('local:user').select('user_id','email')
 123             user_details = execute_admin_query(request, user_query)
 124             flag = 0
 125             for user_detail in user_details:
 126                 if user_detail['email']==email:
 127                     flag = 1
 128                     break
 129
 130             if flag == 0:
 131                 messages.error(request, 'Sorry, this email is not registered.')
 132                 return render(request, themeview.theme, {
 133                     'form': form,
 134                     })
 135             ### end of email check in manifold  ###
 136
 137             opts = {
 138                 'use_https': request.is_secure(),
 139                 'token_generator': token_generator,
 140                 'from_email': from_email,
 141                 'email_template_name': email_template_name,
 142                 'subject_template_name': subject_template_name,
 143                 'request': request,
 144             }
 145             if is_admin_site:
 146                 opts = dict(opts, domain_override=request.get_host())
 147             form.save(**opts)
 148             return HttpResponseRedirect(post_reset_redirect)
 149     else:
 150         form = password_reset_form()
 151     context = {
 152         'form': form,
 153         'theme': themeview.theme
 154     }
 155     if extra_context is not None:
 156         context.update(extra_context)
 157     return TemplateResponse(request, themeview.template, context,
 158                             current_app=current_app)
 159
 160
 161 def password_reset_done(request,
 162                         template_name='password_reset_done.html',
 163                         current_app=None, extra_context=None):
 164     themeview = ThemeView()
 165     themeview.template_name = template_name
 166     context = {
 167                'theme' : themeview.theme
 168     }
 169     if extra_context is not None:
 170         context.update(extra_context)
 171     return TemplateResponse(request, themeview.template, context,
 172                             current_app=current_app)
 173
 174
 175 # Doesn't need csrf_protect since no-one can guess the URL
 176 @sensitive_post_parameters()
 177 @never_cache
 178 def password_reset_confirm(request, uidb36=None, token=None,
 179                            template_name='password_reset_confirm.html',
 180                            token_generator=default_token_generator,
 181                            set_password_form=SetPasswordForm,
 182                            post_reset_redirect=None,
 183                            current_app=None, extra_context=None):
 184     """
 185     View that checks the hash in a password reset link and presents a
 186     form for entering a new password.
 187     """
 188     themeview = ThemeView()
 189     themeview.template_name = template_name
 190
 191     UserModel = get_user_model()
 192     assert uidb36 is not None and token is not None  # checked by URLconf
 193     if post_reset_redirect is None:
 194         post_reset_redirect = reverse('portal.django_passresetview.password_reset_complete')
 195     try:
 196         uid_int = base36_to_int(uidb36)
 197         user = UserModel._default_manager.get(pk=uid_int)
 198     except (ValueError, OverflowError, UserModel.DoesNotExist):
 199         user = None
 200
 201     if user is not None and token_generator.check_token(user, token):
 202         validlink = True
 203         if request.method == 'POST':
 204             form = set_password_form(user, request.POST)
 205             if form.is_valid():
 206
 207                 ### manifold pass update ###
 208                 #password = form.cleaned_data('password1')
 209                 password=request.POST['new_password1']
 210                 #user_query  = Query().get('local:user').select('user_id','email','password')
 211                 #user_details = execute_admin_query(request, user_query)
 212                 #for user_detail in user_details:
 213                 #    if user_detail['email'] == user.email:
 214                 #        user_detail['password'] = password
 215                 #updating password in local:user
 216                 user_params = { 'password': password}
 217                 manifold_update_user(request,user.email,user_params)
 218                 ### end of manifold pass update ###
 219
 220
 221                 form.save()
 222                 return HttpResponseRedirect(post_reset_redirect)
 223         else:
 224             form = set_password_form(None)
 225     else:
 226         validlink = False
 227         form = None
 228     context = {
 229         'form': form,
 230         'validlink': validlink,
 231         'theme' : themeview.theme
 232     }
 233     if extra_context is not None:
 234         context.update(extra_context)
 235     return TemplateResponse(request, themeview.template, context,
 236                             current_app=current_app)
 237
 238
 239 def password_reset_complete(request,
 240                             template_name='password_reset_complete.html',
 241                             current_app=None, extra_context=None):
 242     themeview = ThemeView()
 243     themeview.template_name = template_name
 244     context = {
 245         'login_url': resolve_url(settings.LOGIN_URL),
 246         'theme' : themeview.theme
 247     }
 248     if extra_context is not None:
 249         context.update(extra_context)
 250     return TemplateResponse(request, themeview.template, context,
 251                             current_app=current_app)
 252
 253