Add user_is_protected() method to core View class

also, don't allow "protected" users to change their own password
2020-09-23 16:28:54 -05:00 · 2020-09-23 16:28:54 -05:00 · 746db72046
parent 77fa2a78d4
commit 746db72046
3 changed files with 19 additions and 19 deletions
--- a/tailbone/views/auth.py
+++ b/tailbone/views/auth.py
@ -172,6 +172,10 @@ class AuthenticationView(View):
        if not self.request.user:
            return self.redirect(self.request.route_url('home'))

+        if self.user_is_protected(self.request.user):
+            self.request.session.flash("Cannot change password for user: {}".format(self.request.user))
+            return self.redirect(self.request.get_referrer())
+
        use_buefy = self.get_use_buefy()
        schema = ChangePassword().bind(user=self.request.user)
        form = forms.Form(schema=schema, request=self.request, use_buefy=use_buefy)
--- a/tailbone/views/core.py
+++ b/tailbone/views/core.py
@ -42,7 +42,7 @@ from tailbone.db import Session
 from tailbone.auth import logout_user
 from tailbone.progress import SessionProgress
 from tailbone.util import should_use_buefy
-from tailbone.config import legacy_mobile_enabled
+from tailbone.config import legacy_mobile_enabled, protected_usernames


 class View(object):
@ -110,6 +110,20 @@ class View(object):
            if uuid:
                return Session.query(model.User).get(uuid)

+    def user_is_protected(self, user):
+        """
+        This logic will consult the settings for a list of "protected"
+        usernames, which should require root privileges to edit.  If the given
+        ``user`` object is represented in this list, it is considered to be
+        protected and this method will return ``True``; otherwise it returns
+        ``False``.
+        """
+        if not hasattr(self, 'protected_usernames'):
+            self.protected_usernames = protected_usernames(self.rattail_config)
+        if self.protected_usernames and user.username in self.protected_usernames:
+            return True
+        return False
+
    def redirect(self, url, **kwargs):
        """
        Convenience method to return a HTTP 302 response.
--- a/tailbone/views/users.py
+++ b/tailbone/views/users.py
@ -42,7 +42,6 @@ from tailbone import forms
 from tailbone.db import Session
 from tailbone.views import MasterView
 from tailbone.views.principal import PrincipalMasterView, PermissionsRenderer
-from tailbone.config import protected_usernames


 class UsersView(PrincipalMasterView):
@ -154,23 +153,6 @@ class UsersView(PrincipalMasterView):
            return True
        return not self.user_is_protected(user)

-    def user_is_protected(self, user):
-        """
-        This logic will consult the settings, for a list of "protected"
-        usernames, which should require root privileges to edit.  If no setting
-        is found, or the given ``user`` is not represented in the setting, then
-        edit is allowed.
-
-        But if there is a setting, and the ``user`` is represented in it, then
-        this method will return ``True`` only if the "current" app user is
-        "root", otherwise will return ``False``.
-        """
-        if not hasattr(self, 'protected_usernames'):
-            self.protected_usernames = protected_usernames(self.rattail_config)
-        if self.protected_usernames and user.username in self.protected_usernames:
-            return True
-        return False
-
    def unique_username(self, node, value):
        query = self.Session.query(model.User)\
                            .filter(model.User.username == value)