def obj_create(self, bundle, request=None, **kwargs):
try:
bundle.obj = CommCareUser.create(
domain=kwargs['domain'],
username=bundle.data['username'].lower(),
password=bundle.data['password'],
created_by=bundle.request.user,
created_via=USER_CHANGE_VIA_API,
email=bundle.data.get('email', '').lower(),
)
del bundle.data['password']
self._update(bundle)
bundle.obj.save()
except Exception:
if bundle.obj._id:
bundle.obj.retire(deleted_by=request.user,
deleted_via=USER_CHANGE_VIA_API)
try:
django_user = bundle.obj.get_django_user()
except User.DoesNotExist:
pass
else:
django_user.delete()
log_model_change(request.user,
django_user,
message=f"deleted_via: {USER_CHANGE_VIA_API}",
action=ModelAction.DELETE)
return bundle
def form_valid(self, form):
from django_otp import devices_for_user
username = form.cleaned_data['username']
user = User.objects.get(username__iexact=username)
for device in devices_for_user(user):
device.delete()
disable_for_days = form.cleaned_data['disable_for_days']
if disable_for_days:
couch_user = CouchUser.from_django_user(user)
disable_until = datetime.utcnow() + timedelta(
days=disable_for_days)
couch_user.two_factor_auth_disabled_until = disable_until
couch_user.save()
verification = form.cleaned_data['verification_mode']
verified_by = form.cleaned_data['via_who'] or self.request.user.username
log_model_change(
self.request.user, user,
f'Two factor disabled. Verified by: {verified_by}, verification mode: "{verification}"'
)
mail_admins(
"Two-Factor account reset",
"Two-Factor auth was reset. Details: \n"
" Account reset: {username}\n"
" Reset by: {reset_by}\n"
" Request Verificatoin Mode: {verification}\n"
" Verified by: {verified_by}\n"
" Two-Factor disabled for {days} days.".format(
username=username,
reset_by=self.request.user.username,
verification=verification,
verified_by=verified_by,
days=disable_for_days),
)
send_HTML_email(
"%sTwo-Factor authentication reset" %
settings.EMAIL_SUBJECT_PREFIX,
username,
render_to_string(
'hqadmin/email/two_factor_reset_email.html',
context={
'until':
disable_until.strftime('%Y-%m-%d %H:%M:%S UTC')
if disable_for_days else None,
'support_email':
settings.SUPPORT_EMAIL,
'email_subject':
"[URGENT] Possible Account Breach",
'email_body':
"Two Factor Auth on my CommCare account "
"was disabled without my request. My username is: %s" %
username,
}),
)
messages.success(self.request,
_('Two-Factor Auth successfully disabled.'))
return redirect('{}?q={}'.format(reverse('web_user_lookup'), username))
def post(self, request, *args, **kwargs):
can_toggle_is_staff = request.user.is_staff
form = SuperuserManagementForm(can_toggle_is_staff, self.request.POST)
if form.is_valid():
users = form.cleaned_data['users']
is_superuser = '******' in form.cleaned_data['privileges']
is_staff = 'is_staff' in form.cleaned_data['privileges']
changed_fields = []
for user in users:
# save user object only if needed and just once
if user.is_superuser is not is_superuser:
user.is_superuser = is_superuser
changed_fields.append('is_superuser')
if can_toggle_is_staff and user.is_staff is not is_staff:
user.is_staff = is_staff
changed_fields.append('is_staff')
if changed_fields:
user.save()
log_model_change(self.request.user,
user,
fields_changed=changed_fields)
messages.success(request,
_("Successfully updated superuser permissions"))
return self.get(request, *args, **kwargs)
def log_user_role_update(domain, user, by_user, updated_via):
"""
:param domain: domain name
:param user: couch user that got updated
:param by_user: django/couch user that made the update
:param updated_via: web/bulk_importer
"""
user_role = user.get_role(domain)
message = "role: None"
if user_role:
if user_role.get_qualified_id() == 'admin':
message = f"role: {user_role.name}"
else:
message = f"role: {user_role.name}[{user_role.get_id}]"
message += f", updated_via: {updated_via}"
log_model_change(by_user, user.get_django_user(), message=message)
def form_valid(self, form):
if not self.user:
return self.redirect_response(self.request)
reset_password = form.cleaned_data['reset_password']
if reset_password:
self.user.set_password(uuid.uuid4().hex)
# toggle active state
self.user.is_active = not self.user.is_active
self.user.save()
verb = 're-enabled' if self.user.is_active else 'disabled'
reason = form.cleaned_data['reason']
log_model_change(self.request.user, self.user,
f'User {verb}. Reason: "{reason}"')
mail_admins(
"User account {}".format(verb),
"The following user account has been {verb}: \n"
" Account: {username}\n"
" Reset by: {reset_by}\n"
" Password reset: {password_reset}\n"
" Reason: {reason}".format(
verb=verb,
username=self.username,
reset_by=self.request.user.username,
password_reset=str(reset_password),
reason=reason,
))
send_HTML_email(
"%sYour account has been %s" %
(settings.EMAIL_SUBJECT_PREFIX, verb),
self.username,
render_to_string('hqadmin/email/account_disabled_email.html',
context={
'support_email': settings.SUPPORT_EMAIL,
'password_reset': reset_password,
'user': self.user,
'verb': verb,
'reason': form.cleaned_data['reason'],
}),
)
messages.success(self.request,
_('Account successfully %(verb)s.' % {'verb': verb}))
return redirect('{}?q={}'.format(reverse('web_user_lookup'),
self.username))
