def put(self, current_user): json_request = request.json new_password = json_request['newPassword'] old_password = json_request['oldPassword'] hashed_old_password = hash_password(old_password) if current_user.hashed_password == hashed_old_password: hashed_new_password = hash_password(new_password) current_user.hashed_password = hashed_new_password current_user.put() return ok_msg('Password updated.') else: return bad_request('Incorrect old password.')
def authenticate_user_login(nick, password): user = api.actor_lookup_nick(api.ROOT, nick) if not user: return None # user's authenticated via login have full access user.access_level = api.DELETE_ACCESS if settings.DEBUG and password == "password": return user if user.password == util.hash_password(user.nick, password): return user # we're changing the password hashing, this will update their password # to their new format # TODO(termie): The settings.MANAGE_PY stuff below is so that the tests # will continue to work with fixtures that have the passwords # in clear text. We should probably remove this and change # the passwords in the fixtures to be the legacy-style # passwords. if ( user.password == util.hash_password_intermediate(user.nick, password) or settings.MANAGE_PY and user.password == password ): logging.debug("updating password for intermediate user: %s", user.nick) user = api.actor_update_intermediate_password(api.ROOT, user.nick, password) # a little repeat of above since we have a new user instance now user.access_level = api.DELETE_ACCESS return user return None
def authenticate_user_login(nick, password): user = api.actor_lookup_nick(api.ROOT, nick) if not user: return None # user's authenticated via login have full access user.access_level = api.DELETE_ACCESS if settings.DEBUG and password == "password": return user if user.password == util.hash_password(user.nick, password): return user # we're changing the password hashing, this will update their password # to their new format # TODO(termie): The settings.MANAGE_PY stuff below is so that the tests # will continue to work with fixtures that have the passwords # in clear text. We should probably remove this and change # the passwords in the fixtures to be the legacy-style # passwords. if (user.password == util.hash_password_intermediate(user.nick, password) or settings.MANAGE_PY and user.password == password): logging.debug("updating password for intermediate user: %s", user.nick) user = api.actor_update_intermediate_password(api.ROOT, user.nick, password) # a little repeat of above since we have a new user instance now user.access_level = api.DELETE_ACCESS return user return None
def post(self): email = request.json['email'] hashed_pass = hash_password(request.json['password']) user = User.by_email_and_password(email, hashed_pass) if not user: return unauthorized('User not found.') return ok(Token(user.key.id()).json())
def post(self): json_request = request.json token = json_request['token'] new_password = json_request['newPassword'] change_password = ChangePasswordRequest.by_token(token) if change_password: hashed_new_password = hash_password(new_password) user = change_password.user_key.get() user.hashed_password = hashed_new_password user.put() change_password.key.delete() return ok_msg('Password is reset.') else: return not_found('User didn\'t requested password reset.')
def post(self): json_request = request.json email = json_request['email'] name = json_request['name'] password = json_request['password'] cv = json_request.get('cv', '') user = User.by_email(email) if user: return bad_request('User with email {0} already exists'.format(email)) user = User(name=name, email=email, cv=cv, is_admin=False, status=StatusType.ACTIVE, hashed_password=hash_password(password)) user_key = user.put() return created(Token(user_key.id()).json())
def put(self): parser = reqparse.RequestParser() parser.add_argument('name') parser.add_argument('password') parser.add_argument('email') parser.add_argument('user_level') parser.add_argument('phone_number') parser.add_argument('has_telegram') args = parser.parse_args() try: # Check if the user whom request for update is already exist in the database. existing_user = User_Model.find_by_email(args['email']) if existing_user != None: # Update existing user details. existing_user.name = args['name'] existing_user.user_level = args['user_level'] existing_user.user_level = args['phone_number'] existing_user.user_level = args['has_telegram'] existing_user.password_hash = hash_password(args['password']) # !! Need to commit the changes after update User_Model.update() return { 'message': 'User with email {}\'s details have been updated.'.format( existing_user.email_address) }, 200 else: return {'message': 'This user does not exist in database.'} except: print(traceback.format_exc()) return { 'message': 'An error occurred. Check console for error message.' }, 400
def post(self): parser = reqparse.RequestParser() parser.add_argument('name') parser.add_argument('password') parser.add_argument('email', required=True) parser.add_argument('user_level') parser.add_argument('phone_number', required=True) parser.add_argument('has_telegram') args = parser.parse_args() try: # Check whether user already register. existing_user = User_Model.find_by_email(args['email']) if existing_user: return { 'message': 'User with the email address: {} has registered before.'. format(existing_user.email_address) }, 400 # Else if user not exist in database, create new user. else: new_user = User_Model(name=args['name'], email_address=args['email'], user_level=args['user_level'], password_hash=hash_password( args['password']), phone_number=args['phone_number'], has_telegram=bool(args['has_telegram'])) new_user.save() return "A new user is registered.", 201 except: print(traceback.format_exc()) return { 'message': 'An error occurred. Check console for error message.' }, 400
def actor_settings(request, nick, page='index'): """ just a static page that links to the rest""" nick = clean.nick(nick) view = api.actor_lookup_nick(api.ROOT, nick) if not api.actor_owns_actor(request.user, view): raise exception.ApiOwnerRequired( 'Operation not allowed: %s does not own %s' % (request.user and request.user.nick or '(nobody)', view.nick)) handled = common_views.handle_view_action( request, { 'activation_activate_mobile': view.url('/settings/mobile'), 'activation_request_email': view.url('/settings/email'), 'activation_request_mobile': view.url('/settings/mobile'), 'settings_change_notify': view.url('/settings/notifications'), 'settings_change_privacy': request.path, 'settings_update_account': view.url('/settings/profile'), 'actor_remove': '/logout', #'oauth_remove_consumer': request.path, #'oauth_remove_access_token': request.path } ) if handled: return handled # TODO(tyler/termie): This conflicts with the global settings import. # Also, this seems fishy. Do none of the settings.* items work in templates? import settings # TODO(tyler): Merge this into handle_view_action, if possible if 'password' in request.POST: try: validate.nonce(request, 'change_password') password = request.POST.get('password', '') confirm = request.POST.get('confirm', '') validate.password_and_confirm(password, confirm, field = 'password') api.settings_change_password(request.user, view.nick, password) response = util.RedirectFlash(view.url() + '/settings/password', 'Password updated') request.user.password = util.hash_password(request.user.nick, password) # TODO(mikie): change when cookie-auth is changed user.set_user_cookie(response, request.user) return response except: exception.handle_exception(request) if page == 'feeds': try: if not settings.FEEDS_ENABLED: raise exception.DisabledFeatureError('Feeds are currently disabled') except: exception.handle_exception(request) if page == 'photo': redirect_to = view.url() + '/settings/photo' handled = common_views.common_photo_upload(request, redirect_to) if handled: return handled area = 'settings' full_page = page.capitalize() if page == 'mobile': full_page = 'Mobile Number' mobile = api.mobile_get_actor(request.user, view.nick) sms_notify = view.extra.get('sms_notify', False) elif page == 'im': full_page = 'IM Address' im_address = api.im_get_actor(request.user, view.nick) im_notify = view.extra.get('im_notify', False) elif page == 'index': email = api.email_get_actor(request.user, view.nick) email_notify = view.extra.get('email_notify', False) im_address = api.im_get_actor(request.user, view.nick) im_notify = view.extra.get('im_notify', False) elif page == 'feeds': full_page = 'Web Feeds' elif page == 'email': full_page = 'Email Address' email_notify = view.extra.get('email_notify', False) # check if we already have an email email = api.email_get_actor(request.user, view.nick) # otherwise look for an unconfirmed one if not email: unconfirmeds = api.activation_get_actor_email(api.ROOT, view.nick) if unconfirmeds: unconfirmed_email = unconfirmeds[0].content elif page == 'design': handled = common_views.common_design_update(request, view.nick) if handled: return handled full_page = 'Look and Feel' elif page == 'notifications': email = api.email_get_actor(request.user, view.nick) email_notify = view.extra.get('email_notify', False) im_address = api.im_get_actor(request.user, view.nick) im_notify = view.extra.get('im_notify', False) mobile = api.mobile_get_actor(request.user, request.user.nick) sms_notify = view.extra.get('sms_notify', False) sms_confirm = sms_notify and not view.extra.get('sms_confirmed', False) # TODO(termie): remove this once we can actually receive sms sms_confirm = False elif page == 'profile': # check if we already have an email email = api.email_get_actor(request.user, view.nick) # otherwise look for an unconfirmed one if not email: unconfirmeds = api.activation_get_actor_email(api.ROOT, view.nick) if unconfirmeds: unconfirmed_email = unconfirmeds[0].content elif page == 'photo': avatars = display.DEFAULT_AVATARS small_photos = api.image_get_all_keys(request.user, view.nick, size='f') # TODO(tyler): Fix this avatar nonsense! own_photos = [{ 'path' : small_photo.key().name(), 'name' : small_photo.key().name()[len('image/'):-len('_f.jpg')], } for small_photo in small_photos ] elif page == 'privacy': PRIVACY_PUBLIC = api.PRIVACY_PUBLIC PRIVACY_CONTACTS = api.PRIVACY_CONTACTS elif page == 'jsbadge': full_page = 'Javascript Badges' elif page == 'badge': badges = [{'id': 'badge-stream', 'width': '200', 'height': '300', 'src': '/themes/%s/badge.swf' % settings.DEFAULT_THEME, 'title': 'Stream', }, {'id': 'badge-map', 'width': '200', 'height': '255', 'src': '/themes/%s/badge-map.swf' % settings.DEFAULT_THEME, 'title': 'Map', }, {'id': 'badge-simple', 'width': '200', 'height': '200', 'src': '/themes/%s/badge-simple.swf' % settings.DEFAULT_THEME, 'title': 'Simple', }, ] elif page in ['password', 'delete']: # Catch for remaining pages before we generate a 404. pass else: return common_views.common_404(request) # rendering c = template.RequestContext(request, locals()) t = loader.get_template('actor/templates/settings_%s.html' % page) return http.HttpResponse(t.render(c))
def actor_settings(request, nick, page='index'): """ just a static page that links to the rest""" nick = clean.nick(nick) view = api.actor_lookup_nick(api.ROOT, nick) if not api.actor_owns_actor(request.user, view): raise exception.ApiOwnerRequired( 'Operation not allowed: %s does not own %s' % (request.user and request.user.nick or '(nobody)', view.nick)) handled = common_views.handle_view_action( request, { 'activation_activate_mobile': view.url('/settings/mobile'), 'activation_request_email': view.url('/settings/email'), 'activation_request_mobile': view.url('/settings/mobile'), 'settings_change_notify': view.url('/settings/notifications'), 'settings_change_privacy': request.path, 'settings_update_account': view.url('/settings/profile'), 'actor_remove': '/logout', #'oauth_remove_consumer': request.path, #'oauth_remove_access_token': request.path }) if handled: return handled # TODO(tyler/termie): This conflicts with the global settings import. # Also, this seems fishy. Do none of the settings.* items work in templates? import settings # TODO(tyler): Merge this into handle_view_action, if possible if 'password' in request.POST: try: validate.nonce(request, 'change_password') password = request.POST.get('password', '') confirm = request.POST.get('confirm', '') validate.password_and_confirm(password, confirm, field='password') api.settings_change_password(request.user, view.nick, password) response = util.RedirectFlash(view.url() + '/settings/password', 'Password updated') request.user.password = util.hash_password(request.user.nick, password) # TODO(mikie): change when cookie-auth is changed user.set_user_cookie(response, request.user) return response except: exception.handle_exception(request) if page == 'feeds': try: if not settings.FEEDS_ENABLED: raise exception.DisabledFeatureError( 'Feeds are currently disabled') except: exception.handle_exception(request) if page == 'photo': redirect_to = view.url() + '/settings/photo' handled = common_views.common_photo_upload(request, redirect_to) if handled: return handled area = 'settings' full_page = page.capitalize() if page == 'mobile': full_page = 'Mobile Number' mobile = api.mobile_get_actor(request.user, view.nick) sms_notify = view.extra.get('sms_notify', False) elif page == 'im': full_page = 'IM Address' im_address = api.im_get_actor(request.user, view.nick) im_notify = view.extra.get('im_notify', False) elif page == 'index': email = api.email_get_actor(request.user, view.nick) email_notify = view.extra.get('email_notify', False) im_address = api.im_get_actor(request.user, view.nick) im_notify = view.extra.get('im_notify', False) elif page == 'feeds': full_page = 'Web Feeds' elif page == 'email': full_page = 'Email Address' email_notify = view.extra.get('email_notify', False) # check if we already have an email email = api.email_get_actor(request.user, view.nick) # otherwise look for an unconfirmed one if not email: unconfirmeds = api.activation_get_actor_email(api.ROOT, view.nick) if unconfirmeds: unconfirmed_email = unconfirmeds[0].content elif page == 'design': handled = common_views.common_design_update(request, view.nick) if handled: return handled full_page = 'Look and Feel' elif page == 'notifications': email = api.email_get_actor(request.user, view.nick) email_notify = view.extra.get('email_notify', False) im_address = api.im_get_actor(request.user, view.nick) im_notify = view.extra.get('im_notify', False) mobile = api.mobile_get_actor(request.user, request.user.nick) sms_notify = view.extra.get('sms_notify', False) sms_confirm = sms_notify and not view.extra.get('sms_confirmed', False) # TODO(termie): remove this once we can actually receive sms sms_confirm = False elif page == 'profile': # check if we already have an email email = api.email_get_actor(request.user, view.nick) # otherwise look for an unconfirmed one if not email: unconfirmeds = api.activation_get_actor_email(api.ROOT, view.nick) if unconfirmeds: unconfirmed_email = unconfirmeds[0].content elif page == 'photo': avatars = display.DEFAULT_AVATARS small_photos = api.image_get_all_keys(request.user, view.nick, size='f') # TODO(tyler): Fix this avatar nonsense! own_photos = [{ 'path': small_photo.key().name(), 'name': small_photo.key().name()[len('image/'):-len('_f.jpg')], } for small_photo in small_photos] elif page == 'privacy': PRIVACY_PUBLIC = api.PRIVACY_PUBLIC PRIVACY_CONTACTS = api.PRIVACY_CONTACTS elif page in ['password', 'delete']: # Catch for remaining pages before we generate a 404. pass else: return common_views.common_404(request) # rendering c = template.RequestContext(request, locals()) t = loader.get_template('actor/templates/settings_%s.html' % page) return http.HttpResponse(t.render(c))
def actor_settings(request, nick, page="index"): """ just a static page that links to the rest""" nick = clean.nick(nick) view = api.actor_lookup_nick(api.ROOT, nick) if not api.actor_owns_actor(request.user, view): raise exception.ApiOwnerRequired( "Operation not allowed: %s does not own %s" % (request.user and request.user.nick or "(nobody)", view.nick) ) handled = common_views.handle_view_action( request, { "activation_activate_mobile": view.url("/settings/mobile"), "activation_request_email": view.url("/settings/email"), "activation_request_mobile": view.url("/settings/mobile"), "settings_change_notify": view.url("/settings/notifications"), "settings_change_privacy": request.path, "settings_update_account": view.url("/settings/profile"), "actor_remove": "/logout", #'oauth_remove_consumer': request.path, #'oauth_remove_access_token': request.path }, ) if handled: return handled # TODO(tyler/termie): This conflicts with the global settings import. # Also, this seems fishy. Do none of the settings.* items work in templates? import settings # TODO(tyler): Merge this into handle_view_action, if possible if "password" in request.POST: try: validate.nonce(request, "change_password") password = request.POST.get("password", "") confirm = request.POST.get("confirm", "") validate.password_and_confirm(password, confirm, field="password") api.settings_change_password(request.user, view.nick, password) response = util.RedirectFlash(view.url() + "/settings/password", "Password updated") request.user.password = util.hash_password(request.user.nick, password) # TODO(mikie): change when cookie-auth is changed user.set_user_cookie(response, request.user) return response except: exception.handle_exception(request) if page == "feeds": try: if not settings.FEEDS_ENABLED: raise exception.DisabledFeatureError("Feeds are currently disabled") except: exception.handle_exception(request) if page == "photo": redirect_to = view.url() + "/settings/photo" handled = common_views.common_photo_upload(request, redirect_to) if handled: return handled area = "settings" full_page = page.capitalize() if page == "mobile": full_page = "Mobile Number" mobile = api.mobile_get_actor(request.user, view.nick) sms_notify = view.extra.get("sms_notify", False) elif page == "im": full_page = "IM Address" im_address = api.im_get_actor(request.user, view.nick) im_notify = view.extra.get("im_notify", False) elif page == "index": email = api.email_get_actor(request.user, view.nick) email_notify = view.extra.get("email_notify", False) im_address = api.im_get_actor(request.user, view.nick) im_notify = view.extra.get("im_notify", False) elif page == "feeds": full_page = "Web Feeds" elif page == "email": full_page = "Email Address" email_notify = view.extra.get("email_notify", False) # check if we already have an email email = api.email_get_actor(request.user, view.nick) # otherwise look for an unconfirmed one if not email: unconfirmeds = api.activation_get_actor_email(api.ROOT, view.nick) if unconfirmeds: unconfirmed_email = unconfirmeds[0].content elif page == "design": redirect_to = view.url() + "/settings/design" handled = common_views.common_design_update(request, redirect_to, view.nick) if handled: return handled full_page = "Look and Feel" elif page == "notifications": email = api.email_get_actor(request.user, view.nick) email_notify = view.extra.get("email_notify", False) im_address = api.im_get_actor(request.user, view.nick) im_notify = view.extra.get("im_notify", False) mobile = api.mobile_get_actor(request.user, request.user.nick) sms_notify = view.extra.get("sms_notify", False) sms_confirm = sms_notify and not view.extra.get("sms_confirmed", False) # TODO(termie): remove this once we can actually receive sms sms_confirm = False elif page == "profile": # check if we already have an email email = api.email_get_actor(request.user, view.nick) # otherwise look for an unconfirmed one if not email: unconfirmeds = api.activation_get_actor_email(api.ROOT, view.nick) if unconfirmeds: unconfirmed_email = unconfirmeds[0].content elif page == "photo": avatars = display.DEFAULT_AVATARS small_photos = api.image_get_all_keys(request.user, view.nick, size="f") # TODO(tyler): Fix this avatar nonsense! own_photos = [ {"path": small_photo.key().name(), "name": small_photo.key().name()[len("images/") : -len("_f.jpg")]} for small_photo in small_photos ] elif page == "privacy": PRIVACY_PUBLIC = api.PRIVACY_PUBLIC PRIVACY_CONTACTS = api.PRIVACY_CONTACTS elif page == "jsbadge": full_page = "Javascript Badges" elif page == "badge": badges = [ { "id": "badge-stream", "width": "200", "height": "300", "src": "/themes/%s/badge.swf" % settings.DEFAULT_THEME, "title": "Stream", }, { "id": "badge-map", "width": "200", "height": "255", "src": "/themes/%s/badge-map.swf" % settings.DEFAULT_THEME, "title": "Map", }, { "id": "badge-simple", "width": "200", "height": "200", "src": "/themes/%s/badge-simple.swf" % settings.DEFAULT_THEME, "title": "Simple", }, ] elif page in ["password", "delete"]: # Catch for remaining pages before we generate a 404. pass else: return common_views.common_404(request) # rendering c = template.RequestContext(request, locals()) t = loader.get_template("actor/templates/settings_%s.html" % page) return http.HttpResponse(t.render(c))