def change_password(request):
try:
doc = request.json_body
except:
raise APIError(400, "invalid_json", "no valid json body")
email = doc.get("email")
old_password = doc.get("old_password")
new_password = doc.get("new_password")
if not email or not old_password or not new_password:
raise APIError(
400,
"change_password.email_and_old_password_and_new_password_required",
"You need to send your email, the old password and a new password."
)
user = DBSession.query(AuthUser).filter_by(email=email).first()
if not user or not user.verify_password(old_password):
raise APIError(
401, "change_password.email_or_old_password_invalid",
"Either the email address or the old password is wrong.")
if not user.active:
raise APIError(400, "user_is_not_activated",
"Your user is not activated.")
if new_password == old_password:
raise APIError(400, "change_password.may_not_be_the_same",
"The new password may not be the same as the old one.")
if not AuthUser.check_password_strength(new_password):
raise APIError(
400, "change_password.invalid_new_password",
"The new password is too weak. Minimum length is 8 characters.")
user.password = new_password
user.force_password_change = False
DBSession.add(user)
token = AuthToken.generate_token()
tokenObj = AuthToken(auth_user_id=user.id, token=token)
DBSession.add(tokenObj)
DBSession.flush()
return {
"token": token,
"subject": Subject.full_output(user.subject_id),
}
def auth_login(request):
try:
doc = request.json_body
except:
raise APIError(400, "invalid_json", "no valid json body")
user = request.user
email = doc.get("email")
password = doc.get("password")
if user:
#already logged in
token = user.get_or_create_token().token
else:
if not email or not password:
raise APIError(400, "login.email_and_password_required",
"You need to send your email and password.")
user = DBSession.query(AuthUser).filter_by(email=email).first()
if not user or not user.verify_password(password):
raise APIError(
401, "login.email_or_password_invalid",
"Either the email address or the password is wrong.")
if not user.active:
raise APIError(400, "user_is_not_activated",
"Your user is not activated.")
if user.force_password_change:
raise APIError(400, "user_has_to_change_password",
"You have to change your password.")
token = AuthToken.generate_token()
tokenObj = AuthToken(auth_user_id=user.id, token=token)
DBSession.add(tokenObj)
return {
"token": token,
"subject": Subject.full_output(user.subject_id),
}
def add_or_update_subject(request):
"""add a subject and set its metadata"""
subject_id = int(request.matchdict["subject_id"])
if asbool(get_settings().get("enable_user_authentication", False)):
#ensure that the subject exists and we have the permission to update it
may_update = request.has_perm(
perm_global_manage_subjects
) or request.has_perm(
perm_own_update_subject_infos) and request.subject.id == subject_id
if not may_update:
raise APIError(403, "forbidden", "You may not edit this subject.")
#if not exists_by_expr(t_subjects,t_subjects.c.id==subject_id):
# raise APIError(403, "forbidden", "The subject does not exist. As the user authentication is enabled, you need to create the AuthUser first.")
lat = None
if len(request.POST.get("lat", "")) > 0:
lat = float(request.POST["lat"])
lon = None
if len(request.POST.get("lon", "")) > 0:
lon = float(request.POST["lon"])
friends = []
if len(request.POST.get("friends", "")) > 0:
friends = [int(x) for x in request.POST["friends"].split(",")]
groups = []
if len(request.POST.get("groups", "")) > 0:
groups = [int(x) for x in request.POST["groups"].split(",")]
timezone = "UTC"
if len(request.POST.get("timezone", "")) > 0:
timezone = request.POST["timezone"]
if not valid_timezone(timezone):
timezone = 'UTC'
language = None
if len(request.POST.get("language", "")) > 0:
language = request.POST["language"]
additional_public_data = {}
if len(request.POST.get("additional_public_data", "")) > 0:
try:
additional_public_data = json.loads(
request.POST["additional_public_data"])
except:
additional_public_data = {}
Subject.set_infos(subject_id=subject_id,
lat=lat,
lng=lon,
timezone=timezone,
language_id=language,
additional_public_data=additional_public_data)
Subject.set_relations(subject_id=subject_id, relation_ids=friends)
Subject.set_parent_subjects(subject_id=subject_id,
parent_subject_ids=groups)
return {"status": "OK", "subject": Subject.full_output(subject_id)}
