def login():
error = None
if request.method == 'POST':
username = request.form['username']
raw_password = request.form['password']
if 'forgot' in request.form:
try:
forgot_password(username)
except Exception as e:
if str(e) != "No such user/No valid email":
raise
flash("Kunne ikke sende en mail til denne bruger")
return redirect(url_for('usermanager.login'))
return render_template("usermanager/forgot.html", username=username)
user = data.execute('SELECT password, deleted FROM Users WHERE username = ?', username)
if empty(user) or not password.check(raw_password, user[0]['password']):
flash('Invalid username or password')
elif user[0]["deleted"]:
flash('Sorry, your user has been deleted')
else:
session['logged_in'] = True
session['username'] = username
groups = data.execute('SELECT groupname FROM Group_users WHERE username = ?', username)
groups = [group['groupname'] for group in groups]
session['groups'] = groups
update_password(username, raw_password)
flash("Login succesful")
return redirect(session.pop('login_origin', url_front()))
return render_template("usermanager/login.html", error=error)
def change_password():
if request.method == "POST":
if 'cancel' in request.form:
flash(escape("Ændringer annulleret"))
return redirect(url_for('usermanager.settings'))
username = session["username"]
current_password = data.execute("SELECT password FROM Users WHERE username = ?", username)[0]['password']
b = data.Bucket(request.form)
if not password.check(b.current, current_password):
return logout()
if b.new1 != b.new2:
flash("De to løsner er ikke ens")
return redirect(url_for('usermanager.change_password'))
if b.new1 == "":
flash("Du specificerede ikke et nyt løsen")
return redirect(url_for('usermanager.change_password'))
update_password(username, b.new1)
return redirect(url_for('usermanager.settings'))
else:
w = html.WebBuilder()
w.form()
w.formtable()
w.password("current", "Nuværende løsen")
w.password("new1", "Nyt løsen")
w.password("new2", "Gentag nyt løsen")
form = w.create()
return render_template("form.html", form=form)
def update( self, **keyargs ):
super().update( **keyargs )
c = self.app.db.cursor()
if "email" in keyargs:
email = keyargs["email"]
User.check_email( email )
c.execute( """update users set email=? where object_id=?""", [email, self.id] )
if "new_password" in keyargs:
new_password = keyargs["new_password"]
User.check_password( new_password )
encrypted_new_password = password.encrypt( new_password )
if self.app.user.id==self.id:
# normal users have to authorize the change with their old password
if not "old_password" in keyargs:
raise errors.PrivilegeError( "You need to authorize the change request with your old password" )
old_password = keyargs["old_password"]
encrypted_old_password = c.execute( """select password from users where object_id=?""", [self.id] ).fetchone()[0]
if not password.check( old_password, encrypted_old_password ):
raise errors.PrivilegeError( "Invalid old password" )
c.execute( """update users set password=? where object_id=?""", [encrypted_new_password, self.id] )
if "avatar_id" in keyargs:
avatar_id = int( keyargs["avatar_id"] )
if self.app.user.can_read( avatar_id ):
obj = db_object.DBObject( self.app, object_id=avatar_id )
if files.File.supports(self.app, obj.media_type) and obj.media_type.startswith("image/"):
file_obj = files.File( self.app, object_id=obj.id )
size_limit = 100*2**10
if file_obj.get_size() <= size_limit:
c.execute( """update users set avatar_id=? where object_id=?""", [avatar_id, self.id] )
else:
raise errors.ParameterError( "Avatar object exeeds size limit of %d bytes" % (size_limit) )
else:
raise errors.ParameterError( "Unsupported media type for user avatars" )
else:
raise errors.PrivilegeError()
def check_login( app ): """Gibt nach Prüfung von Nutzername und Passwort ein User-Objekt zurück, sonst Ausnahme""" query = app.query response = app.response session = app.session if "nick" in query.parms and "password" in query.parms: c = app.db.cursor() result = c.execute( """select object_id, password from users where nick=?""", [query.parms["nick"]] ).fetchone() if not result: raise Exception( "Invalid user name or password" ) user_id, encrypted_password = result if not user_id or not encrypted_password \ or not password.check( password=query.parms["password"], encrypted_password=encrypted_password ): raise Exception( "Invalid user name or password" ) usr = user.User( app, user_id=user_id ) return usr else: raise Exception( "Missing user name or password" )
def login():
error = None
if request.method == 'POST':
username = request.form['username']
raw_password = request.form['password']
if 'forgot' in request.form:
try:
forgot_password(username)
except Exception as e:
if str(e) != "No such user/No valid email":
raise
flash("Kunne ikke sende en mail til denne bruger")
return redirect(url_for('usermanager.login'))
return render_template("usermanager/forgot.html",
username=username)
user = data.execute(
'SELECT password, deleted FROM Users WHERE username = ?', username)
if empty(user) or not password.check(raw_password,
user[0]['password']):
flash('Invalid username or password')
elif user[0]["deleted"]:
flash('Sorry, your user has been deleted')
else:
session['logged_in'] = True
session['username'] = username
groups = data.execute(
'SELECT groupname FROM Group_users WHERE username = ?',
username)
groups = [group['groupname'] for group in groups]
session['groups'] = groups
update_password(username, raw_password)
flash("Login succesful")
return redirect(session.pop('login_origin', url_front()))
return render_template("usermanager/login.html", error=error)
def change_password():
if request.method == "POST":
if 'cancel' in request.form:
flash(escape("Ændringer annulleret"))
return redirect(url_for('usermanager.settings'))
username = session["username"]
current_password = data.execute(
"SELECT password FROM Users WHERE username = ?",
username)[0]['password']
b = data.Bucket(request.form)
if not password.check(b.current, current_password):
return logout()
if b.new1 != b.new2:
flash("De to løsner er ikke ens")
return redirect(url_for('usermanager.change_password'))
if b.new1 == "":
flash("Du specificerede ikke et nyt løsen")
return redirect(url_for('usermanager.change_password'))
update_password(username, b.new1)
return redirect(url_for('usermanager.settings'))
else:
w = html.WebBuilder()
w.form()
w.formtable()
w.password("current", "Nuværende løsen")
w.password("new1", "Nyt løsen")
w.password("new2", "Gentag nyt løsen")
form = w.create()
return render_template("form.html", form=form)