def _do_users(self, req):
env = self.env
perm = PermissionSystem(env)
acctmgr = self.acctmgr
acctmod = AccountModule(env)
guard = self.guard
listing_enabled = acctmgr.supports('get_users')
create_enabled = acctmgr.supports('set_password')
password_change_enabled = acctmgr.supports('set_password')
password_reset_enabled = acctmod.reset_password_enabled
delete_enabled = acctmgr.supports('delete_user')
data = {
'_': _,
'listing_enabled': listing_enabled,
'create_enabled': create_enabled,
'delete_enabled': delete_enabled,
'password_change_enabled': password_change_enabled,
'password_reset_enabled': password_reset_enabled,
'account' : { 'username' : None,
'name' : None,
'email' : None,
}
}
if req.method == 'GET':
if 'user' in req.args.iterkeys():
return self._do_acct_details(req)
if req.method == 'POST':
if req.args.get('add'):
if create_enabled:
try:
_create_user(req, env, check_permissions=False)
except TracError, e:
data['editor_error'] = e.message
data['account'] = getattr(e, 'account', '')
else:
data['editor_error'] = _(
"The password store does not support creating users.")
elif req.args.get('reset') and req.args.get('sel'):
if password_reset_enabled:
sel = req.args.get('sel')
sel = isinstance(sel, list) and sel or [sel]
for username, name, email in env.get_known_users():
if username in sel:
acctmod._reset_password(username, email)
else:
data['deletion_error'] = _(
"The password reset procedure is not enabled.")
elif req.args.get('remove') and req.args.get('sel'):
if delete_enabled:
sel = req.args.get('sel')
sel = isinstance(sel, list) and sel or [sel]
for account in sel:
acctmgr.delete_user(account)
else:
data['deletion_error'] = _(
"The password store does not support deleting users.")
elif req.args.get('change'):
attributes = {
'email': _("Email Address"),
'name': _("Full name"),
'password': _("Password")
}
data['success'] = []
error = TracError('')
username = acctmgr.handle_username_casing(
req.args.get('username').strip())
try:
if not username:
error.account = {'username' : username}
error.message = _("Username cannot be empty.")
raise error
if not acctmgr.has_user(username):
error.account = {'username' : username}
error.message = _("Unknown user %(user)s.",
user=username)
raise error
password = req.args.get('password')
if password and (password.strip() != ''):
if password_change_enabled:
if password != req.args.get('password_confirm'):
error.message = _("The passwords must match.")
raise error
acctmgr.set_password(username, password)
data['success'].append(attributes.get('password'))
else:
data['editor_error'] = _(
"""The password store does not support
changing passwords.
""")
for attribute in ('name', 'email'):
value = req.args.get(attribute).strip()
if value:
set_user_attribute(env, username,
attribute, value)
data['success'].append(attributes.get(attribute))
except TracError, e:
data['editor_error'] = e.message
data['account'] = getattr(e, 'account', '')
class AccountModule(Component):
"""Exposes methods for users to do account management on their own.
Allows users to change their password, reset their password, if they've
forgotten it, even delete their account. The settings for the
AccountManager module must be set in trac.ini in order to use this.
"""
implements(IPreferencePanelProvider, IRequestHandler, ITemplateProvider,
INavigationContributor, IRequestFilter)
_password_chars = string.ascii_letters + string.digits
password_length = IntOption(
'account-manager', 'generated_password_length', 8,
"""Length of the randomly-generated passwords created when resetting
the password for an account.""")
reset_password = BoolOption(
'account-manager', 'reset_password', True,
'Set to False, if there is no email system setup.')
def __init__(self):
self.acctmgr = AccountManager(self.env)
self.store = ResetPwStore(self.env)
self._write_check(log=True)
def _write_check(self, log=False):
writable = self.acctmgr.get_all_supporting_stores('set_password')
if not writable and log:
self.log.warn('AccountModule is disabled because the password '
'store does not support writing.')
return writable
# IPreferencePanelProvider methods
def get_preference_panels(self, req):
writable = self._write_check()
if not writable:
return
if req.authname and req.authname != 'anonymous':
user_store = self.acctmgr.find_user_store(req.authname)
if user_store in writable:
yield 'account', _("Account")
def render_preference_panel(self, req, panel):
data = {
'account': self._do_account(req),
'_dgettext': dgettext,
}
return 'prefs_account.html', data
# IRequestHandler methods
def match_request(self, req):
return req.path_info == '/reset_password' and \
self._reset_password_enabled(log=True)
def process_request(self, req):
data = {'_dgettext': dgettext, 'reset': self._do_reset_password(req)}
return 'reset_password.html', data, None
# IRequestFilter methods
def pre_process_request(self, req, handler):
return handler
def post_process_request(self, req, template, data, content_type):
if req.authname and req.authname != 'anonymous':
if req.session.get('force_change_passwd', False):
redirect_url = req.href.prefs('account')
if req.href(req.path_info) != redirect_url:
req.redirect(redirect_url)
return (template, data, content_type)
# INavigationContributor methods
def get_active_navigation_item(self, req):
return 'reset_password'
def get_navigation_items(self, req):
if not self.reset_password_enabled or LoginModule(self.env).enabled:
return
if req.authname == 'anonymous':
yield 'metanav', 'reset_password', tag.a(
_("Forgot your password?"), href=req.href.reset_password())
def _reset_password_enabled(self, log=False):
return is_enabled(self.env, self.__class__) and \
self.reset_password and (self._write_check(log) != [])
reset_password_enabled = property(_reset_password_enabled)
def _do_account(self, req):
if not req.authname or req.authname == 'anonymous':
# DEVEL: Shouldn't this be a more generic URL?
req.redirect(req.href.wiki())
action = req.args.get('action')
delete_enabled = self.acctmgr.supports('delete_user') and \
self.acctmgr.allow_delete_account
data = {
'delete_enabled':
delete_enabled,
'delete_msg_confirm':
_("Are you sure you want to delete your account?"),
}
force_change_password = req.session.get('force_change_passwd', False)
if req.method == 'POST':
if action == 'save':
data.update(self._do_change_password(req))
if force_change_password:
del (req.session['force_change_passwd'])
req.session.save()
chrome.add_notice(
req,
Markup(
tag.span(
tag_(
"Thank you for taking the time to update your password."
))))
force_change_password = False
elif action == 'delete' and delete_enabled:
data.update(self._do_delete(req))
else:
data.update({'error': 'Invalid action'})
if force_change_password:
chrome.add_warning(
req,
Markup(
tag.span(
_("You are required to change password because of a recent "
"password change request. "),
tag.b(_("Please change your password now.")))))
return data
def _do_reset_password(self, req):
if req.authname and req.authname != 'anonymous':
return {'logged_in': True}
if req.method != 'POST':
return {}
username = req.args.get('username')
email = req.args.get('email')
if not username:
return {'error': _("Username is required")}
if not email:
return {'error': _("Email is required")}
for username_, name, email_ in self.env.get_known_users():
if username_ == username and email_ == email:
self._reset_password(username, email)
break
else:
return {
'error':
_("The email and username must match a known account.")
}
return {'sent_to_email': email}
def _reset_password(self, username, email):
acctmgr = self.acctmgr
new_password = self._random_password()
try:
acctmgr._notify('password_reset', username, email, new_password)
except Exception, e:
return {'error': ','.join(map(to_unicode, e.args))}
self.store.set_password(username, new_password)
if acctmgr.force_passwd_change:
set_user_attribute(self.env, username, 'force_change_passwd', 1)
def _create_user(req, env, check_permissions=True):
acctmgr = AccountManager(env)
username = acctmgr.handle_username_casing(req.args.get('username').strip())
name = req.args.get('name')
email = req.args.get('email').strip()
account = {
'username': username,
'name': name,
'email': email,
}
error = TracError('')
error.account = account
if not username:
error.message = _("Username cannot be empty.")
raise error
# Prohibit some user names that are important for Trac and therefor
# reserved, even if they're not in the permission store for some reason.
if username in ['authenticated', 'anonymous']:
error.message = _("Username %s is not allowed.") % username
raise error
# NOTE: A user may exist in the password store but not in the permission
# store. I.e. this happens, when the user (from the password store)
# never logged in into Trac. So we have to perform this test here
# and cannot just check for the user being in the permission store.
# And obfuscate whether an existing user or group name
# was responsible for rejection of this user name.
if acctmgr.has_user(username):
error.message = _(
"Another account or group named %s already exists.") % username
raise error
# Check whether there is also a user or a group with that name.
if check_permissions:
# NOTE: We can't use 'get_user_permissions(username)' here
# as this always returns a list - even if the user doesn't exist.
# In this case the permissions of "anonymous" are returned.
#
# Also note that we can't simply compare the result of
# 'get_user_permissions(username)' to some known set of permission,
# i.e. "get_user_permissions('authenticated') as this is always
# false when 'username' is the name of an existing permission group.
#
# And again obfuscate whether an existing user or group name
# was responsible for rejection of this username.
for (perm_user, perm_action) in \
perm.PermissionSystem(env).get_all_permissions():
if perm_user == username:
error.message = _(
"Another account or group named %s already exists.") \
% username
raise error
# Always exclude some special characters, i.e.
# ':' can't be used in HtPasswdStore
# '[' and ']' can't be used in SvnServePasswordStore
blacklist = acctmgr.username_char_blacklist
if containsAny(username, blacklist):
pretty_blacklist = ''
for c in blacklist:
if pretty_blacklist == '':
pretty_blacklist = tag(' \'', tag.b(c), '\'')
else:
pretty_blacklist = tag(pretty_blacklist, ', \'', tag.b(c),
'\'')
error.message = tag(
_("The username must not contain any of these characters:"),
pretty_blacklist)
raise error
# Validation of username passed.
password = req.args.get('password')
if not password:
error.message = _("Password cannot be empty.")
raise error
if password != req.args.get('password_confirm'):
error.message = _("The passwords must match.")
raise error
# Validation of password passed.
if if_enabled(EmailVerificationModule) and acctmgr.verify_email:
if not email:
error.message = _("You must specify a valid email address.")
raise error
elif not re.match('^[A-Z0-9._%+-]+@(?:[A-Z0-9-]+\.)+[A-Z]{2,6}$',
email, re.IGNORECASE):
error.message = _("""The email address specified appears to be
invalid. Please specify a valid email address.
""")
raise error
elif acctmgr.has_email(email):
error.message = _("""The email address specified is already in
use. Please specify a different one.
""")
raise error
# Validation of email address passed.
acctmgr.set_password(username, password)
# INSERT new sid, needed as foreign key in some db schemata later on,
# at least for PostgreSQL.
db = env.get_db_cnx()
cursor = db.cursor()
cursor.execute(
"""
SELECT COUNT(*)
FROM session
WHERE sid=%s
""", (username, ))
exists = cursor.fetchone()
if not exists:
cursor.execute(
"""
INSERT INTO session
(sid,authenticated,last_visit)
VALUES (%s,0,0)
""", (username, ))
for attribute in ('name', 'email'):
value = req.args.get(attribute)
if not value:
continue
set_user_attribute(env, username, attribute, value)
def _create_user(req, env, check_permissions=True):
acctmgr = AccountManager(env)
username = acctmgr.handle_username_casing(
req.args.get('username').strip())
name = req.args.get('name')
email = req.args.get('email').strip()
account = {'username' : username,
'name' : name,
'email' : email,
}
error = TracError('')
error.account = account
if not username:
error.message = _("Username cannot be empty.")
raise error
# Prohibit some user names that are important for Trac and therefor
# reserved, even if they're not in the permission store for some reason.
if username in ['authenticated', 'anonymous']:
error.message = _("Username %s is not allowed.") % username
raise error
# NOTE: A user may exist in the password store but not in the permission
# store. I.e. this happens, when the user (from the password store)
# never logged in into Trac. So we have to perform this test here
# and cannot just check for the user being in the permission store.
# And obfuscate whether an existing user or group name
# was responsible for rejection of this user name.
if acctmgr.has_user(username):
error.message = _(
"Another account or group named %s already exists.") % username
raise error
# Check whether there is also a user or a group with that name.
if check_permissions:
# NOTE: We can't use 'get_user_permissions(username)' here
# as this always returns a list - even if the user doesn't exist.
# In this case the permissions of "anonymous" are returned.
#
# Also note that we can't simply compare the result of
# 'get_user_permissions(username)' to some known set of permission,
# i.e. "get_user_permissions('authenticated') as this is always
# false when 'username' is the name of an existing permission group.
#
# And again obfuscate whether an existing user or group name
# was responsible for rejection of this username.
for (perm_user, perm_action) in \
perm.PermissionSystem(env).get_all_permissions():
if perm_user == username:
error.message = _(
"Another account or group named %s already exists.") \
% username
raise error
# Always exclude some special characters, i.e.
# ':' can't be used in HtPasswdStore
# '[' and ']' can't be used in SvnServePasswordStore
blacklist = acctmgr.username_char_blacklist
if containsAny(username, blacklist):
pretty_blacklist = ''
for c in blacklist:
if pretty_blacklist == '':
pretty_blacklist = tag(' \'', tag.b(c), '\'')
else:
pretty_blacklist = tag(pretty_blacklist,
', \'', tag.b(c), '\'')
error.message = tag(_(
"The username must not contain any of these characters:"),
pretty_blacklist)
raise error
# Validation of username passed.
password = req.args.get('password')
if not password:
error.message = _("Password cannot be empty.")
raise error
if password != req.args.get('password_confirm'):
error.message = _("The passwords must match.")
raise error
# Validation of password passed.
if if_enabled(EmailVerificationModule) and acctmgr.verify_email:
if not email:
error.message = _("You must specify a valid email address.")
raise error
elif not re.match('^[A-Z0-9._%+-]+@(?:[A-Z0-9-]+\.)+[A-Z]{2,6}$',
email, re.IGNORECASE):
error.message = _("""The email address specified appears to be
invalid. Please specify a valid email address.
""")
raise error
elif acctmgr.has_email(email):
error.message = _("""The email address specified is already in
use. Please specify a different one.
""")
raise error
# Validation of email address passed.
acctmgr.set_password(username, password)
# INSERT new sid, needed as foreign key in some db schemata later on,
# at least for PostgreSQL.
db = env.get_db_cnx()
cursor = db.cursor()
cursor.execute("""
SELECT COUNT(*)
FROM session
WHERE sid=%s
""", (username,))
exists = cursor.fetchone()
if not exists:
cursor.execute("""
INSERT INTO session
(sid,authenticated,last_visit)
VALUES (%s,0,0)
""", (username,))
for attribute in ('name', 'email'):
value = req.args.get(attribute)
if not value:
continue
set_user_attribute(env, username, attribute, value)
