def login(request):
if not verify_ip(request['REMOTE_ADDR']):
return HTTPForbidden()
login_url = request.route_url('login')
referrer = request.url
if referrer == login_url:
referrer = '/' # never use the login form itself as came_from
came_from = request.params.get('came_from', referrer)
message = ''
username = ''
password = ''
if 'form.submitted' in request.params:
username = request.params['login']
password = request.params['password']
if authenticate(username, password):
headers = remember(request, username)
return HTTPFound(location = '/',
headers = headers)
message = 'Failed login'
return dict(
message = message,
url = request.application_url + '/login',
came_from = came_from,
login = username,
password = password,
)
def update_user(self, json, updater_username):
"""
TODO: Functional tests required!
"""
# Step 0: prepare data
username = json['username'].strip()
first_name = json['first_name'].strip()
last_name = json['last_name'].strip()
group = json['group'].strip()
machines = json['machines']
if not group:
return False, 'Bad group name provided'
else:
group = 'group:' + group
email = json['email'].strip()
if not email_pattern.match(email):
return False, "Wrong email address!"
old_password = json['old_password'].strip()
password = json['change_password'].strip()
password_rpt = json['change_password_confirm'].strip()
#
# Step 1: getting updater user permissions
info = User.get_user_info_by_name(updater_username)
if not info[0] or not info[1]['username']: # if updater_username does not exists in DB (this is almost impossible)
raise SystemError('Wrong updater username provided')
updater_info = info[1]
# Step 2: collecting info about editing user
info = User.get_user_info_by_name(username)
if not info[0] or not info[1]['username']: # if editing_username does not exists in DB (but this IS possible :)
return False, 'Wrong changing username provided'
changing_user_info = info[1]
# Step 3: setting vars
change_password = False
if any([password, password_rpt]) and not all([password, password_rpt]):
return False, "To change password please fill all fields"
elif all([password, password_rpt]):
if password != password_rpt:
return False, "New passwords does not match"
elif not 4 <= len(password) <= 16:
return False, 'Wrong password length! 4 <= x <= 16'
else:
change_password = True
# Step 4: testing permissions and applying update
# There are many cases which must be implemented
new_password = None
if updater_info['username'] == changing_user_info['username']:
# Regular user or superuser changing himself
if change_password:
if not old_password:
return False, "To change password please fill all fields"
if not authenticate(updater_info['username'], old_password):
return False, "Wrong old password provided"
new_password = password
group = None # Disabled change of self group
User.update_user(username=updater_info['username'], first_name=first_name,
last_name=last_name, group=group, email=email, password=new_password)
elif updater_info['group'] not in ['group:admins', 'group:moderators']:
# Non-privileged user trying to change somebody else
return False, "You don't have permissions to change this user"
else:
# Superuser changing somebody else
if changing_user_info['username'] == 'admin':
return False, 'Nobody except admin himself can change superadmin profile'
if updater_info['group'] == 'group:moderators':
if changing_user_info['group'] in ['group:admins', 'group:moderators']:
return False, "You don't have permissions to change this user"
# IMPORTANT
if group in ['group:admins', 'group:moderators']:
return False, 'You don\'t have permissions to add new moderator or administrator'
if change_password:
new_password = password
User.update_user(username=changing_user_info['username'], first_name=first_name,
last_name=last_name, group=group, email=email, password=new_password, machines=machines)
return True, ''
