Expose, honor the prevent_password_change flag for Users

2023-05-02 19:13:28 -05:00 · 2023-05-02 19:13:28 -05:00 · f913ed8332
commit f913ed8332
parent 2863ff7a5c
5 changed files with 24 additions and 11 deletions
--- a/tailbone/api/auth.py
+++ b/tailbone/api/auth.py
@ -2,7 +2,7 @@
 ################################################################################
 #
 #  Rattail -- Retail Software Framework
-#  Copyright © 2010-2022 Lance Edgar
+#  Copyright © 2010-2023 Lance Edgar
 #
 #  This file is part of Rattail.
 #
@ -24,8 +24,6 @@
 Tailbone Web API - Auth Views
 """

-from __future__ import unicode_literals, absolute_import
-
 from rattail.db.auth import set_user_password

 from cornice import Service
@ -168,6 +166,9 @@ class AuthenticationView(APIView):
        if not self.request.user:
            raise self.forbidden()

+        if self.request.user.prevent_password_change and not self.request.is_root:
+            raise self.forbidden()
+
        data = self.request.json_body

        # first make sure "current" password is accurate
--- a/tailbone/api/users.py
+++ b/tailbone/api/users.py
@ -2,7 +2,7 @@
 ################################################################################
 #
 #  Rattail -- Retail Software Framework
-#  Copyright © 2010-2022 Lance Edgar
+#  Copyright © 2010-2023 Lance Edgar
 #
 #  This file is part of Rattail.
 #
@ -24,8 +24,6 @@
 Tailbone Web API - User Views
 """

-from __future__ import unicode_literals, absolute_import
-
 from rattail.db import model

 from tailbone.api import APIMasterView
@ -57,6 +55,10 @@ class UserView(APIMasterView):
            query = query.outerjoin(model.Person)
        return query

+    def update_object(self, user, data):
+        # TODO: should ensure prevent_password_change is respected
+        return super(UserView, self).update_object(user, data)
+

 def defaults(config, **kwargs):
    base = globals()