def add_user(request, template='accounts/application/add_user_form.html'):
redirect_uri = get_safe_redirect_uri(request, allowed_hosts())
if request.method == 'POST':
form = get_default_admin_add_user_form_class()(request, request.POST)
if form.is_valid():
user = form.save()
send_account_created_email(user, request)
if redirect_uri:
success_url = redirect_uri
else:
success_url = urlunsplit(('', '',
reverse('accounts:add_user_done',
args=[user.uuid.hex]),
request.GET.urlencode(safe='/'), ''))
return HttpResponseRedirect(success_url)
else:
initial = {}
default_role_profile = User.get_default_role_profile()
if default_role_profile:
initial['role_profiles'] = [default_role_profile.id]
organisations = request.user.get_administrable_user_organisations()
if len(organisations) == 1:
initial['organisations'] = organisations[0]
form = get_default_admin_add_user_form_class()(request,
initial=initial)
data = {'form': form, 'redirect_uri': redirect_uri, 'title': _('Add user')}
return render(request, template, data)
def password_change(request):
"""
Handles the "change password" task -- both form display and validation.
"""
redirect_uri = get_safe_redirect_uri(request, allowed_hosts())
post_change_redirect = update_url(reverse('accounts:password_change_done'),
{'redirect_uri': redirect_uri})
template_name = 'accounts/password_change_form.html'
if request.method == "POST":
form = PasswordChangeForm(user=request.user, data=request.POST)
if form.is_valid():
form.save()
# Updating the password logs out all other sessions for the user
# except the current one
update_session_auth_hash(request, form.user)
return HttpResponseRedirect(post_change_redirect)
else:
form = PasswordChangeForm(user=request.user)
context = {
'password_validators_help_texts': password_validators_help_texts(),
'form': form,
'title': _('Password change'),
'redirect_uri': redirect_uri
}
return TemplateResponse(request, template_name, context)
def profile(request):
redirect_uri = get_safe_redirect_uri(request, allowed_hosts())
if getattr(request.user, 'is_center', False):
return profile_center_account(request, redirect_uri)
if settings.SSO_SHOW_ADDRESS_AND_PHONE_FORM:
return profile_with_address_and_phone(request, redirect_uri)
else:
return profile_core(request, redirect_uri)
def is_referer_allowed(self):
# check the referer if cookie based browser authentication is used
if 'HTTP_REFERER' in self.request.META and is_browser_client(
self.request):
return url_has_allowed_host_and_scheme(
self.request.META['HTTP_REFERER'],
allowed_hosts=allowed_hosts())
else:
return True
def logout(request, next_page=None,
template_name='sso_auth/logged_out.html',
redirect_field_name=REDIRECT_FIELD_NAME,
current_app=None, extra_context=None):
"""
Logs out the user and displays 'You are logged out' message.
see http://openid.net/specs/openid-connect-session-1_0.html#RPLogout
"""
# save the user
user = request.user
auth_logout(request)
# 1. check if we have a post_logout_redirect_uri which is registered
redirect_to = settings.LOGIN_REDIRECT_URL
redirect_uri = get_request_param(request, OIDC_LOGOUT_REDIRECT_FIELD_NAME)
allowed_schemes = ['http', 'https']
if redirect_uri:
id_token = get_request_param(request, OIDC_ID_TOKEN_HINT)
if id_token:
# token maybe expired
data = loads_jwt(id_token, options={"verify_exp": False, "verify_aud": False})
if user.is_anonymous or user.uuid == UUID(data['sub']):
client = Client.objects.get(uuid=data['aud'])
if redirect_uri in client.post_logout_redirect_uris.split():
# allow unsafe schemes
redirect_to = redirect_uri
allowed_schemes = None
else:
# if no OIDC_ID_TOKEN_HINT is there, allow only safe schemes
if redirect_uri in post_logout_redirect_uris():
redirect_to = redirect_uri
redirect_to = update_url(redirect_to, {OIDC_STATE: get_request_param(request, OIDC_STATE)})
return HttpPostLogoutRedirect(redirect_to=redirect_to, allowed_schemes=allowed_schemes)
else:
# deprecated logic
redirect_uris = [redirect_field_name, REDIRECT_URI_FIELD_NAME, OIDC_LOGOUT_REDIRECT_FIELD_NAME]
redirect_to = get_safe_redirect_uri(request, allowed_hosts(), redirect_uris)
if redirect_to:
return HttpPostLogoutRedirect(redirect_to=redirect_to, allowed_schemes=['http', 'https'])
if next_page is None:
current_site = get_current_site(request)
site_name = settings.SSO_SITE_NAME
context = {
'site': current_site,
'site_name': site_name,
'title': _('Logged out')
}
if extra_context is not None:
context.update(extra_context)
if current_app is not None:
request.current_app = current_app
return TemplateResponse(request, template_name, context)
else:
# Redirect to this page until the session has been cleared.
return HttpResponseRedirect(next_page or request.path)
def add_user_done(request,
uuid,
template='accounts/application/add_user_done.html'):
new_user = get_user_model().objects.get(uuid=uuid)
redirect_uri = get_safe_redirect_uri(request, allowed_hosts())
data = {
'new_user': new_user,
'redirect_uri': redirect_uri,
'title': _('Add user')
}
return render(request, template, data)
def get_context_data(self, **kwargs):
"""
Insert the redirect_uri into the context dict.
"""
context = {}
redirect_uri = get_safe_redirect_uri(self.request, allowed_hosts())
if redirect_uri:
context['redirect_uri'] = redirect_uri
context.update(kwargs)
return super().get_context_data(**context)
def get_safe_login_redirect_url(request):
from sso.oauth2.models import allowed_hosts
redirect_to = get_request_param(request, REDIRECT_FIELD_NAME, '')
# Ensure the user-originating redirection url is safe.
# allow external hosts, for redirect after password_create_complete
if url_has_allowed_host_and_scheme(redirect_to,
allowed_hosts=allowed_hosts()):
return redirect_to
else:
return resolve_url(settings.LOGIN_REDIRECT_URL)
def get_context_data(self, **kwargs):
"""
Insert the redirect_uri into the context dict.
"""
context = {}
redirect_uri = get_safe_redirect_uri(self.request, allowed_hosts())
if redirect_uri:
context['redirect_uri'] = redirect_uri
update_url = urlunsplit(
('', '', reverse('accounts:organisationchange_me'),
self.request.GET.urlencode(safe='/'), ''))
context['update_url'] = update_url
# enable brand specific modification
admins = get_user_admins(sender=self.__class__,
organisations=[self.object.organisation])
context.update({'site_name': settings.SSO_SITE_NAME, 'admins': admins})
context.update(kwargs)
return super().get_context_data(**context)
def get_context_data(self, **kwargs):
context = super().get_context_data(**kwargs)
context['redirect_uri'] = get_safe_redirect_uri(
self.request, allowed_hosts())
return context
def emails(request):
redirect_uri = get_safe_redirect_uri(request, allowed_hosts())
post_change_redirect = update_url(reverse('accounts:emails'),
{'redirect_uri': redirect_uri})
user = request.user
if request.method == 'POST':
if 'send_confirmation' in request.POST:
user_email = UserEmail.objects.get(
id=request.POST['send_confirmation'])
send_useremail_confirmation(user_email, request)
messages.success(
request,
_('Confirmation email was sent to \"%(email)s\".') %
{'email': user_email})
return redirect(post_change_redirect)
elif 'delete' in request.POST:
try:
user_email = UserEmail.objects.get(id=request.POST['delete'])
user_email.delete()
messages.success(
request,
_('The email \"%(email)s\" was deleted successfully.') %
{'email': user_email})
except UserEmail.DoesNotExist:
# may be a double click on the delete button
pass
return redirect(post_change_redirect)
elif 'set_primary' in request.POST:
user_email = UserEmail.objects.get(id=request.POST['set_primary'])
user_email.primary = True
user_email.save()
UserEmail.objects.filter(
user=user_email.user,
primary=True).exclude(pk=user_email.pk).update(primary=False)
messages.success(
request,
_("The email \"%(email)s\" was changed successfully.") %
{'email': user_email})
return redirect(post_change_redirect)
else:
add_form = SelfUserEmailAddForm(request.POST)
if add_form.is_valid():
user_email = add_form.save()
change_message = ChangedDataList(add_form, []).change_message()
log_change(request, user, change_message)
msg = _('Thank you. Your data were saved.') + '\n'
msg += _('Confirmation email was sent to \"%(email)s\".') % {
'email': user_email
}
messages.success(request, msg)
send_useremail_confirmation(user_email, request)
return redirect(post_change_redirect)
else:
add_form = SelfUserEmailAddForm(initial={'user': user.id})
context = {
'form': add_form,
'max_email_adresses': UserEmail.MAX_EMAIL_ADRESSES,
'redirect_uri': redirect_uri
}
return render(request, 'accounts/user_email_detail.html', context)