Expose, honor the prevent_password_change flag for Users

This commit is contained in:
Lance Edgar 2023-05-02 19:13:28 -05:00
parent 2863ff7a5c
commit f913ed8332
5 changed files with 24 additions and 11 deletions

View file

@ -2,7 +2,7 @@
################################################################################ ################################################################################
# #
# Rattail -- Retail Software Framework # Rattail -- Retail Software Framework
# Copyright © 2010-2022 Lance Edgar # Copyright © 2010-2023 Lance Edgar
# #
# This file is part of Rattail. # This file is part of Rattail.
# #
@ -24,8 +24,6 @@
Tailbone Web API - Auth Views Tailbone Web API - Auth Views
""" """
from __future__ import unicode_literals, absolute_import
from rattail.db.auth import set_user_password from rattail.db.auth import set_user_password
from cornice import Service from cornice import Service
@ -168,6 +166,9 @@ class AuthenticationView(APIView):
if not self.request.user: if not self.request.user:
raise self.forbidden() raise self.forbidden()
if self.request.user.prevent_password_change and not self.request.is_root:
raise self.forbidden()
data = self.request.json_body data = self.request.json_body
# first make sure "current" password is accurate # first make sure "current" password is accurate

View file

@ -2,7 +2,7 @@
################################################################################ ################################################################################
# #
# Rattail -- Retail Software Framework # Rattail -- Retail Software Framework
# Copyright © 2010-2022 Lance Edgar # Copyright © 2010-2023 Lance Edgar
# #
# This file is part of Rattail. # This file is part of Rattail.
# #
@ -24,8 +24,6 @@
Tailbone Web API - User Views Tailbone Web API - User Views
""" """
from __future__ import unicode_literals, absolute_import
from rattail.db import model from rattail.db import model
from tailbone.api import APIMasterView from tailbone.api import APIMasterView
@ -57,6 +55,10 @@ class UserView(APIMasterView):
query = query.outerjoin(model.Person) query = query.outerjoin(model.Person)
return query return query
def update_object(self, user, data):
# TODO: should ensure prevent_password_change is respected
return super(UserView, self).update_object(user, data)
def defaults(config, **kwargs): def defaults(config, **kwargs):
base = globals() base = globals()

View file

@ -607,7 +607,9 @@
% if messaging_enabled: % if messaging_enabled:
${h.link_to("Messages{}".format(" ({})".format(inbox_count) if inbox_count else ''), url('messages.inbox'), class_='navbar-item')} ${h.link_to("Messages{}".format(" ({})".format(inbox_count) if inbox_count else ''), url('messages.inbox'), class_='navbar-item')}
% endif % endif
% if request.is_root or not request.user.prevent_password_change:
${h.link_to("Change Password", url('change_password'), class_='navbar-item')} ${h.link_to("Change Password", url('change_password'), class_='navbar-item')}
% endif
${h.link_to("Edit Preferences", url('my.preferences'), class_='navbar-item')} ${h.link_to("Edit Preferences", url('my.preferences'), class_='navbar-item')}
${h.link_to("Logout", url('logout'), class_='navbar-item')} ${h.link_to("Logout", url('logout'), class_='navbar-item')}
</div> </div>

View file

@ -175,8 +175,12 @@ class AuthenticationView(View):
if not self.request.user: if not self.request.user:
return self.redirect(self.request.route_url('home')) return self.redirect(self.request.route_url('home'))
if self.user_is_protected(self.request.user) and not self.request.is_root: if ((self.request.user.prevent_password_change
self.request.session.flash("Cannot change password for user: {}".format(self.request.user)) or self.user_is_protected(self.request.user))
and not self.request.is_root):
self.request.session.flash("Cannot change password for user: {}".format(
self.request.user))
return self.redirect(self.request.get_referrer()) return self.redirect(self.request.get_referrer())
schema = ChangePassword().bind(user=self.request.user, request=self.request) schema = ChangePassword().bind(user=self.request.user, request=self.request)

View file

@ -67,6 +67,7 @@ class UserView(PrincipalMasterView):
'active', 'active',
'active_sticky', 'active_sticky',
'set_password', 'set_password',
'prevent_password_change',
'roles', 'roles',
'permissions', 'permissions',
] ]
@ -210,6 +211,9 @@ class UserView(PrincipalMasterView):
f.set_renderer('display_name_', self.render_person_name) f.set_renderer('display_name_', self.render_person_name)
# set_password # set_password
if self.editing and user.prevent_password_change and not self.request.is_root:
f.remove('set_password')
else:
f.set_widget('set_password', dfwidget.CheckedPasswordWidget()) f.set_widget('set_password', dfwidget.CheckedPasswordWidget())
# if self.creating: # if self.creating:
# f.set_required('password') # f.set_required('password')
@ -316,7 +320,7 @@ class UserView(PrincipalMasterView):
user.person.local_only = True user.person.local_only = True
# maybe set user password # maybe set user password
if data['set_password']: if 'set_password' in form and data['set_password']:
set_user_password(user, data['set_password']) set_user_password(user, data['set_password'])
# update roles for user # update roles for user