def json_change_settings(
request: HttpRequest,
user_profile: UserProfile,
full_name: Text = REQ(default=""),
email: Text = REQ(default=""),
old_password: Text = REQ(default=""),
new_password: Text = REQ(default="")
) -> HttpResponse:
if not (full_name or new_password or email):
return json_error(_("Please fill out all fields."))
if new_password != "":
if not authenticate(username=user_profile.email,
password=old_password,
realm=user_profile.realm):
return json_error(_("Wrong password!"))
do_change_password(user_profile, new_password)
# In Django 1.10, password changes invalidates sessions, see
# https://docs.djangoproject.com/en/1.10/topics/auth/default/#session-invalidation-on-password-change
# for details. To avoid this logging the user out of their own
# session (which would provide a confusing UX at best), we
# update the session hash here.
update_session_auth_hash(request, user_profile)
# We also save the session to the DB immediately to mitigate
# race conditions. In theory, there is still a race condition
# and to completely avoid it we will have to use some kind of
# mutex lock in `django.contrib.auth.get_user` where session
# is verified. To make that lock work we will have to control
# the AuthenticationMiddleware which is currently controlled
# by Django,
request.session.save()
result = {} # type: Dict[str, Any]
new_email = email.strip()
if user_profile.email != email and new_email != '':
if user_profile.realm.email_changes_disabled and not user_profile.is_realm_admin:
return json_error(
_("Email address changes are disabled in this organization."))
error, skipped = validate_email(user_profile, new_email)
if error:
return json_error(error)
if skipped:
return json_error(skipped)
do_start_email_change_process(user_profile, new_email)
result['account_email'] = _(
"Check your email for a confirmation link. ")
if user_profile.full_name != full_name and full_name.strip() != "":
if name_changes_disabled(
user_profile.realm) and not user_profile.is_realm_admin:
# Failingly silently is fine -- they can't do it through the UI, so
# they'd have to be trying to break the rules.
pass
else:
# Note that check_change_full_name strips the passed name automatically
result['full_name'] = check_change_full_name(
user_profile, full_name, user_profile)
return json_success(result)
def json_change_settings(request,
user_profile,
full_name=REQ(default=""),
old_password=REQ(default=""),
new_password=REQ(default=""),
confirm_password=REQ(default="")):
# type: (HttpRequest, UserProfile, text_type, text_type, text_type, text_type) -> HttpResponse
if not (full_name or new_password):
return json_error(_("No new data supplied"))
if new_password != "" or confirm_password != "":
if new_password != confirm_password:
return json_error(
_("New password must match confirmation password!"))
if not authenticate(username=user_profile.email,
password=old_password):
return json_error(_("Wrong password!"))
do_change_password(user_profile, new_password)
result = {}
if user_profile.full_name != full_name and full_name.strip() != "":
if name_changes_disabled(user_profile.realm):
# Failingly silently is fine -- they can't do it through the UI, so
# they'd have to be trying to break the rules.
pass
else:
new_full_name = full_name.strip()
if len(new_full_name) > UserProfile.MAX_NAME_LENGTH:
return json_error(_("Name too long!"))
do_change_full_name(user_profile, new_full_name)
result['full_name'] = new_full_name
return json_success(result)
def json_change_settings(request, user_profile,
full_name=REQ(default=""),
old_password=REQ(default=""),
new_password=REQ(default=""),
confirm_password=REQ(default="")):
# type: (HttpRequest, UserProfile, text_type, text_type, text_type, text_type) -> HttpResponse
if not (full_name or new_password):
return json_error(_("No new data supplied"))
if new_password != "" or confirm_password != "":
if new_password != confirm_password:
return json_error(_("New password must match confirmation password!"))
if not authenticate(username=user_profile.email, password=old_password):
return json_error(_("Wrong password!"))
do_change_password(user_profile, new_password)
result = {}
if user_profile.full_name != full_name and full_name.strip() != "":
if name_changes_disabled(user_profile.realm):
# Failingly silently is fine -- they can't do it through the UI, so
# they'd have to be trying to break the rules.
pass
else:
new_full_name = full_name.strip()
if len(new_full_name) > UserProfile.MAX_NAME_LENGTH:
return json_error(_("Name too long!"))
do_change_full_name(user_profile, new_full_name)
result['full_name'] = new_full_name
return json_success(result)
def json_change_settings(request,
user_profile,
full_name=REQ(default=""),
email=REQ(default=""),
old_password=REQ(default=""),
new_password=REQ(default=""),
confirm_password=REQ(default="")):
# type: (HttpRequest, UserProfile, Text, Text, Text, Text, Text) -> HttpResponse
if not (full_name or new_password or email):
return json_error(_("No new data supplied"))
if new_password != "" or confirm_password != "":
if new_password != confirm_password:
return json_error(
_("New password must match confirmation password!"))
if not authenticate(username=user_profile.email,
password=old_password):
return json_error(_("Wrong password!"))
do_change_password(user_profile, new_password)
# In Django 1.10, password changes invalidates sessions, see
# https://docs.djangoproject.com/en/1.10/topics/auth/default/#session-invalidation-on-password-change
# for details. To avoid this logging the user out of his own
# session (which would provide a confusing UX at best), we
# update the session hash here.
update_session_auth_hash(request, user_profile)
# We also save the session to the DB immediately to mitigate
# race conditions. In theory, there is still a race condition
# and to completely avoid it we will have to use some kind of
# mutex lock in `django.contrib.auth.get_user` where session
# is verified. To make that lock work we will have to control
# the AuthenticationMiddleware which is currently controlled
# by Django,
request.session.save()
result = {}
new_email = email.strip()
if user_profile.email != email and new_email != '':
error, skipped = validate_email(user_profile, new_email)
if error or skipped:
return json_error(error or skipped)
do_start_email_change_process(user_profile, new_email)
result['account_email'] = _('We have sent you an email on your '
'new email address for confirmation.')
if user_profile.full_name != full_name and full_name.strip() != "":
if name_changes_disabled(user_profile.realm):
# Failingly silently is fine -- they can't do it through the UI, so
# they'd have to be trying to break the rules.
pass
else:
# Note that check_change_full_name strips the passed name automatically
result['full_name'] = check_change_full_name(
user_profile, full_name)
return json_success(result)
def json_change_settings(request: HttpRequest, user_profile: UserProfile,
full_name: str=REQ(default=""),
email: str=REQ(default=""),
old_password: str=REQ(default=""),
new_password: str=REQ(default="")) -> HttpResponse:
if not (full_name or new_password or email):
return json_error(_("Please fill out all fields."))
if new_password != "":
return_data = {} # type: Dict[str, Any]
if email_belongs_to_ldap(user_profile.realm, user_profile.email):
return json_error(_("Your Zulip password is managed in LDAP"))
if not authenticate(username=user_profile.email, password=old_password,
realm=user_profile.realm, return_data=return_data):
return json_error(_("Wrong password!"))
do_change_password(user_profile, new_password)
# In Django 1.10, password changes invalidates sessions, see
# https://docs.djangoproject.com/en/1.10/topics/auth/default/#session-invalidation-on-password-change
# for details. To avoid this logging the user out of their own
# session (which would provide a confusing UX at best), we
# update the session hash here.
update_session_auth_hash(request, user_profile)
# We also save the session to the DB immediately to mitigate
# race conditions. In theory, there is still a race condition
# and to completely avoid it we will have to use some kind of
# mutex lock in `django.contrib.auth.get_user` where session
# is verified. To make that lock work we will have to control
# the AuthenticationMiddleware which is currently controlled
# by Django,
request.session.save()
result = {} # type: Dict[str, Any]
new_email = email.strip()
if user_profile.email != new_email and new_email != '':
if user_profile.realm.email_changes_disabled and not user_profile.is_realm_admin:
return json_error(_("Email address changes are disabled in this organization."))
error, skipped = validate_email(user_profile, new_email)
if error:
return json_error(error)
if skipped:
return json_error(skipped)
do_start_email_change_process(user_profile, new_email)
result['account_email'] = _("Check your email for a confirmation link. ")
if user_profile.full_name != full_name and full_name.strip() != "":
if name_changes_disabled(user_profile.realm) and not user_profile.is_realm_admin:
# Failingly silently is fine -- they can't do it through the UI, so
# they'd have to be trying to break the rules.
pass
else:
# Note that check_change_full_name strips the passed name automatically
result['full_name'] = check_change_full_name(user_profile, full_name, user_profile)
return json_success(result)
def json_change_settings(request, user_profile,
full_name=REQ(default=""),
email=REQ(default=""),
old_password=REQ(default=""),
new_password=REQ(default=""),
confirm_password=REQ(default="")):
# type: (HttpRequest, UserProfile, Text, Text, Text, Text, Text) -> HttpResponse
if not (full_name or new_password or email):
return json_error(_("No new data supplied"))
if new_password != "" or confirm_password != "":
if new_password != confirm_password:
return json_error(_("New password must match confirmation password!"))
if not authenticate(username=user_profile.email, password=old_password):
return json_error(_("Wrong password!"))
do_change_password(user_profile, new_password)
# In Django 1.10, password changes invalidates sessions, see
# https://docs.djangoproject.com/en/1.10/topics/auth/default/#session-invalidation-on-password-change
# for details. To avoid this logging the user out of his own
# session (which would provide a confusing UX at best), we
# update the session hash here.
update_session_auth_hash(request, user_profile)
# We also save the session to the DB immediately to mitigate
# race conditions. In theory, there is still a race condition
# and to completely avoid it we will have to use some kind of
# mutex lock in `django.contrib.auth.get_user` where session
# is verified. To make that lock work we will have to control
# the AuthenticationMiddleware which is currently controlled
# by Django,
request.session.save()
result = {}
new_email = email.strip()
if user_profile.email != email and new_email != '':
if user_profile.realm.email_changes_disabled:
return json_error(_("Email address changes are disabled in this organization."))
error, skipped = validate_email(user_profile, new_email)
if error or skipped:
return json_error(error or skipped)
do_start_email_change_process(user_profile, new_email)
result['account_email'] = _('We have sent you an email on your '
'new email address for confirmation.')
if user_profile.full_name != full_name and full_name.strip() != "":
if name_changes_disabled(user_profile.realm):
# Failingly silently is fine -- they can't do it through the UI, so
# they'd have to be trying to break the rules.
pass
else:
# Note that check_change_full_name strips the passed name automatically
result['full_name'] = check_change_full_name(user_profile, full_name)
return json_success(result)
def json_change_settings(request, user_profile,
full_name=REQ(default=""),
old_password=REQ(default=""),
new_password=REQ(default=""),
confirm_password=REQ(default="")):
# type: (HttpRequest, UserProfile, text_type, text_type, text_type, text_type) -> HttpResponse
if not (full_name or new_password):
return json_error(_("No new data supplied"))
if new_password != "" or confirm_password != "":
if new_password != confirm_password:
return json_error(_("New password must match confirmation password!"))
if not authenticate(username=user_profile.email, password=old_password):
return json_error(_("Wrong password!"))
do_change_password(user_profile, new_password)
# In Django 1.10, password changes invalidates sessions, see
# https://docs.djangoproject.com/en/1.10/topics/auth/default/#session-invalidation-on-password-change
# for details. To avoid this logging the user out of his own
# session (which would provide a confusing UX at best), we
# update the session hash here.
update_session_auth_hash(request, user_profile)
# We also save the session to the DB immediately to mitigate
# race conditions. In theory, there is still a race condition
# and to completely avoid it we will have to use some kind of
# mutex lock in `django.contrib.auth.get_user` where session
# is verified. To make that lock work we will have to control
# the AuthenticationMiddleware which is currently controlled
# by Django,
request.session.save()
result = {}
if user_profile.full_name != full_name and full_name.strip() != "":
if name_changes_disabled(user_profile.realm):
# Failingly silently is fine -- they can't do it through the UI, so
# they'd have to be trying to break the rules.
pass
else:
new_full_name = full_name.strip()
if len(new_full_name) > UserProfile.MAX_NAME_LENGTH:
return json_error(_("Name too long!"))
do_change_full_name(user_profile, new_full_name)
result['full_name'] = new_full_name
return json_success(result)
def json_change_settings(request,
user_profile,
full_name=REQ(default=""),
old_password=REQ(default=""),
new_password=REQ(default=""),
confirm_password=REQ(default="")):
# type: (HttpRequest, UserProfile, text_type, text_type, text_type, text_type) -> HttpResponse
if not (full_name or new_password):
return json_error(_("No new data supplied"))
if new_password != "" or confirm_password != "":
if new_password != confirm_password:
return json_error(
_("New password must match confirmation password!"))
if not authenticate(username=user_profile.email,
password=old_password):
return json_error(_("Wrong password!"))
do_change_password(user_profile, new_password)
# In Django 1.10, password changes invalidates sessions, see
# https://docs.djangoproject.com/en/1.10/topics/auth/default/#session-invalidation-on-password-change
# for details. To avoid this logging the user out of his own
# session (which would provide a confusing UX at best), we
# update the session hash here.
update_session_auth_hash(request, user_profile)
result = {}
if user_profile.full_name != full_name and full_name.strip() != "":
if name_changes_disabled(user_profile.realm):
# Failingly silently is fine -- they can't do it through the UI, so
# they'd have to be trying to break the rules.
pass
else:
new_full_name = full_name.strip()
if len(new_full_name) > UserProfile.MAX_NAME_LENGTH:
return json_error(_("Name too long!"))
do_change_full_name(user_profile, new_full_name)
result['full_name'] = new_full_name
return json_success(result)
def json_change_settings(request, user_profile,
full_name=REQ(default=""),
old_password=REQ(default=""),
new_password=REQ(default=""),
confirm_password=REQ(default="")):
# type: (HttpRequest, UserProfile, text_type, text_type, text_type, text_type) -> HttpResponse
if not (full_name or new_password):
return json_error(_("No new data supplied"))
if new_password != "" or confirm_password != "":
if new_password != confirm_password:
return json_error(_("New password must match confirmation password!"))
if not authenticate(username=user_profile.email, password=old_password):
return json_error(_("Wrong password!"))
do_change_password(user_profile, new_password)
# In Django 1.10, password changes invalidates sessions, see
# https://docs.djangoproject.com/en/1.10/topics/auth/default/#session-invalidation-on-password-change
# for details. To avoid this logging the user out of his own
# session (which would provide a confusing UX at best), we
# update the session hash here.
update_session_auth_hash(request, user_profile)
result = {}
if user_profile.full_name != full_name and full_name.strip() != "":
if name_changes_disabled(user_profile.realm):
# Failingly silently is fine -- they can't do it through the UI, so
# they'd have to be trying to break the rules.
pass
else:
new_full_name = full_name.strip()
if len(new_full_name) > UserProfile.MAX_NAME_LENGTH:
return json_error(_("Name too long!"))
do_change_full_name(user_profile, new_full_name)
result['full_name'] = new_full_name
return json_success(result)
def json_change_settings(
request: HttpRequest,
user_profile: UserProfile,
full_name: str = REQ(default=""),
email: str = REQ(default=""),
old_password: str = REQ(default=""),
new_password: str = REQ(default=""),
twenty_four_hour_time: Optional[bool] = REQ(json_validator=check_bool,
default=None),
dense_mode: Optional[bool] = REQ(json_validator=check_bool, default=None),
starred_message_counts: Optional[bool] = REQ(json_validator=check_bool,
default=None),
fluid_layout_width: Optional[bool] = REQ(json_validator=check_bool,
default=None),
high_contrast_mode: Optional[bool] = REQ(json_validator=check_bool,
default=None),
color_scheme: Optional[int] = REQ(json_validator=check_int_in(
UserProfile.COLOR_SCHEME_CHOICES),
default=None),
translate_emoticons: Optional[bool] = REQ(json_validator=check_bool,
default=None),
default_language: Optional[str] = REQ(default=None),
default_view: Optional[str] = REQ(
str_validator=check_string_in(default_view_options), default=None),
left_side_userlist: Optional[bool] = REQ(json_validator=check_bool,
default=None),
emojiset: Optional[str] = REQ(
str_validator=check_string_in(emojiset_choices), default=None),
demote_inactive_streams: Optional[int] = REQ(json_validator=check_int_in(
UserProfile.DEMOTE_STREAMS_CHOICES),
default=None),
timezone: Optional[str] = REQ(str_validator=check_string_in(
pytz.all_timezones_set),
default=None),
email_notifications_batching_period_seconds: Optional[int] = REQ(
json_validator=check_int, default=None),
enable_stream_desktop_notifications: Optional[bool] = REQ(
json_validator=check_bool, default=None),
enable_stream_email_notifications: Optional[bool] = REQ(
json_validator=check_bool, default=None),
enable_stream_push_notifications: Optional[bool] = REQ(
json_validator=check_bool, default=None),
enable_stream_audible_notifications: Optional[bool] = REQ(
json_validator=check_bool, default=None),
wildcard_mentions_notify: Optional[bool] = REQ(json_validator=check_bool,
default=None),
notification_sound: Optional[str] = REQ(default=None),
enable_desktop_notifications: Optional[bool] = REQ(
json_validator=check_bool, default=None),
enable_sounds: Optional[bool] = REQ(json_validator=check_bool,
default=None),
enable_offline_email_notifications: Optional[bool] = REQ(
json_validator=check_bool, default=None),
enable_offline_push_notifications: Optional[bool] = REQ(
json_validator=check_bool, default=None),
enable_online_push_notifications: Optional[bool] = REQ(
json_validator=check_bool, default=None),
enable_digest_emails: Optional[bool] = REQ(json_validator=check_bool,
default=None),
enable_login_emails: Optional[bool] = REQ(json_validator=check_bool,
default=None),
enable_marketing_emails: Optional[bool] = REQ(json_validator=check_bool,
default=None),
message_content_in_email_notifications: Optional[bool] = REQ(
json_validator=check_bool, default=None),
pm_content_in_desktop_notifications: Optional[bool] = REQ(
json_validator=check_bool, default=None),
desktop_icon_count_display: Optional[int] = REQ(json_validator=check_int,
default=None),
realm_name_in_notifications: Optional[bool] = REQ(
json_validator=check_bool, default=None),
presence_enabled: Optional[bool] = REQ(json_validator=check_bool,
default=None),
enter_sends: Optional[bool] = REQ(json_validator=check_bool, default=None),
) -> HttpResponse:
# We can't use REQ for this widget because
# get_available_language_codes requires provisioning to be
# complete.
if default_language is not None and default_language not in get_available_language_codes(
):
raise JsonableError(_("Invalid default_language"))
if (notification_sound is not None
and notification_sound not in get_available_notification_sounds()
and notification_sound != "none"):
raise JsonableError(
_("Invalid notification sound '{}'").format(notification_sound))
if email_notifications_batching_period_seconds is not None and (
email_notifications_batching_period_seconds <= 0
or email_notifications_batching_period_seconds > 7 * 24 * 60 * 60):
# We set a limit of one week for the batching period
raise JsonableError(
_("Invalid email batching period: {} seconds").format(
email_notifications_batching_period_seconds))
if new_password != "":
return_data: Dict[str, Any] = {}
if email_belongs_to_ldap(user_profile.realm,
user_profile.delivery_email):
raise JsonableError(_("Your Zulip password is managed in LDAP"))
try:
if not authenticate(
request,
username=user_profile.delivery_email,
password=old_password,
realm=user_profile.realm,
return_data=return_data,
):
raise JsonableError(_("Wrong password!"))
except RateLimited as e:
assert e.secs_to_freedom is not None
secs_to_freedom = int(e.secs_to_freedom)
raise JsonableError(
_("You're making too many attempts! Try again in {} seconds.").
format(secs_to_freedom), )
if not check_password_strength(new_password):
raise JsonableError(_("New password is too weak!"))
do_change_password(user_profile, new_password)
# In Django 1.10, password changes invalidates sessions, see
# https://docs.djangoproject.com/en/1.10/topics/auth/default/#session-invalidation-on-password-change
# for details. To avoid this logging the user out of their own
# session (which would provide a confusing UX at best), we
# update the session hash here.
update_session_auth_hash(request, user_profile)
# We also save the session to the DB immediately to mitigate
# race conditions. In theory, there is still a race condition
# and to completely avoid it we will have to use some kind of
# mutex lock in `django.contrib.auth.get_user` where session
# is verified. To make that lock work we will have to control
# the AuthenticationMiddleware which is currently controlled
# by Django,
request.session.save()
result: Dict[str, Any] = {}
new_email = email.strip()
if user_profile.delivery_email != new_email and new_email != "":
if user_profile.realm.email_changes_disabled and not user_profile.is_realm_admin:
raise JsonableError(
_("Email address changes are disabled in this organization."))
error = validate_email_is_valid(
new_email,
get_realm_email_validator(user_profile.realm),
)
if error:
raise JsonableError(error)
try:
validate_email_not_already_in_realm(
user_profile.realm,
new_email,
verbose=False,
)
except ValidationError as e:
raise JsonableError(e.message)
do_start_email_change_process(user_profile, new_email)
if user_profile.full_name != full_name and full_name.strip() != "":
if name_changes_disabled(
user_profile.realm) and not user_profile.is_realm_admin:
# Failingly silently is fine -- they can't do it through the UI, so
# they'd have to be trying to break the rules.
pass
else:
# Note that check_change_full_name strips the passed name automatically
check_change_full_name(user_profile, full_name, user_profile)
# Loop over user_profile.property_types
request_settings = {
k: v
for k, v in list(locals().items()) if k in user_profile.property_types
}
for k, v in list(request_settings.items()):
if v is not None and getattr(user_profile, k) != v:
do_set_user_display_setting(user_profile, k, v)
req_vars = {
k: v
for k, v in list(locals().items())
if k in user_profile.notification_setting_types
}
for k, v in list(req_vars.items()):
if v is not None and getattr(user_profile, k) != v:
do_change_notification_settings(user_profile,
k,
v,
acting_user=user_profile)
if timezone is not None and user_profile.timezone != timezone:
do_set_user_display_setting(user_profile, "timezone", timezone)
# TODO: Do this more generally.
from zerver.lib.request import get_request_notes
request_notes = get_request_notes(request)
for req_var in request.POST:
if req_var not in request_notes.processed_parameters:
request_notes.ignored_parameters.add(req_var)
if len(request_notes.ignored_parameters) > 0:
result["ignored_parameters_unsupported"] = list(
request_notes.ignored_parameters)
return json_success(result)
def accounts_register(request: HttpRequest) -> HttpResponse:
key = request.POST['key']
confirmation = Confirmation.objects.get(confirmation_key=key)
prereg_user = confirmation.content_object
email = prereg_user.email
realm_creation = prereg_user.realm_creation
password_required = prereg_user.password_required
is_realm_admin = prereg_user.invited_as == PreregistrationUser.INVITE_AS[
'REALM_ADMIN'] or realm_creation
is_guest = prereg_user.invited_as == PreregistrationUser.INVITE_AS[
'GUEST_USER']
try:
validators.validate_email(email)
except ValidationError:
return render(request,
"zerver/invalid_email.html",
context={"invalid_email": True})
if realm_creation:
# For creating a new realm, there is no existing realm or domain
realm = None
else:
if get_subdomain(request) != prereg_user.realm.string_id:
return render_confirmation_key_error(
request,
ConfirmationKeyException(
ConfirmationKeyException.DOES_NOT_EXIST))
realm = prereg_user.realm
try:
email_allowed_for_realm(email, realm)
except DomainNotAllowedForRealmError:
return render(request,
"zerver/invalid_email.html",
context={
"realm_name": realm.name,
"closed_domain": True
})
except DisposableEmailError:
return render(request,
"zerver/invalid_email.html",
context={
"realm_name": realm.name,
"disposable_emails_not_allowed": True
})
except EmailContainsPlusError:
return render(request,
"zerver/invalid_email.html",
context={
"realm_name": realm.name,
"email_contains_plus": True
})
if realm.deactivated:
# The user is trying to register for a deactivated realm. Advise them to
# contact support.
return redirect_to_deactivation_notice()
try:
validate_email_for_realm(realm, email)
except ValidationError:
return HttpResponseRedirect(
reverse('django.contrib.auth.views.login') + '?email=' +
urllib.parse.quote_plus(email))
name_validated = False
full_name = None
require_ldap_password = False
if request.POST.get('from_confirmation'):
try:
del request.session['authenticated_full_name']
except KeyError:
pass
ldap_full_name = None
if settings.POPULATE_PROFILE_VIA_LDAP:
# If the user can be found in LDAP, we'll take the full name from the directory,
# and further down create a form pre-filled with it.
for backend in get_backends():
if isinstance(backend, LDAPBackend):
try:
ldap_username = backend.django_to_ldap_username(email)
except ZulipLDAPExceptionNoMatchingLDAPUser:
logging.warning(
"New account email %s could not be found in LDAP" %
(email, ))
break
# Note that this `ldap_user` object is not a
# `ZulipLDAPUser` with a `Realm` attached, so
# calling `.populate_user()` on it will crash.
# This is OK, since we're just accessing this user
# to extract its name.
#
# TODO: We should potentially be accessing this
# user to sync its initial avatar and custom
# profile fields as well, if we indeed end up
# creating a user account through this flow,
# rather than waiting until `manage.py
# sync_ldap_user_data` runs to populate it.
ldap_user = _LDAPUser(backend, ldap_username)
try:
ldap_full_name, _ = backend.get_mapped_name(ldap_user)
except TypeError:
break
# Check whether this is ZulipLDAPAuthBackend,
# which is responsible for authentication and
# requires that LDAP accounts enter their LDAP
# password to register, or ZulipLDAPUserPopulator,
# which just populates UserProfile fields (no auth).
require_ldap_password = isinstance(backend,
ZulipLDAPAuthBackend)
break
if ldap_full_name:
# We don't use initial= here, because if the form is
# complete (that is, no additional fields need to be
# filled out by the user) we want the form to validate,
# so they can be directly registered without having to
# go through this interstitial.
form = RegistrationForm({'full_name': ldap_full_name},
realm_creation=realm_creation)
request.session['authenticated_full_name'] = ldap_full_name
name_validated = True
elif realm is not None and realm.is_zephyr_mirror_realm:
# For MIT users, we can get an authoritative name from Hesiod.
# Technically we should check that this is actually an MIT
# realm, but we can cross that bridge if we ever get a non-MIT
# zephyr mirroring realm.
hesiod_name = compute_mit_user_fullname(email)
form = RegistrationForm(initial={
'full_name':
hesiod_name if "@" not in hesiod_name else ""
},
realm_creation=realm_creation)
name_validated = True
elif prereg_user.full_name:
if prereg_user.full_name_validated:
request.session[
'authenticated_full_name'] = prereg_user.full_name
name_validated = True
form = RegistrationForm({'full_name': prereg_user.full_name},
realm_creation=realm_creation)
else:
form = RegistrationForm(
initial={'full_name': prereg_user.full_name},
realm_creation=realm_creation)
elif 'full_name' in request.POST:
form = RegistrationForm(
initial={'full_name': request.POST.get('full_name')},
realm_creation=realm_creation)
else:
form = RegistrationForm(realm_creation=realm_creation)
else:
postdata = request.POST.copy()
if name_changes_disabled(realm):
# If we populate profile information via LDAP and we have a
# verified name from you on file, use that. Otherwise, fall
# back to the full name in the request.
try:
postdata.update(
{'full_name': request.session['authenticated_full_name']})
name_validated = True
except KeyError:
pass
form = RegistrationForm(postdata, realm_creation=realm_creation)
if not (password_auth_enabled(realm) and password_required):
form['password'].field.required = False
if form.is_valid():
if password_auth_enabled(realm) and form['password'].field.required:
password = form.cleaned_data['password']
else:
# If the user wasn't prompted for a password when
# completing the authentication form (because they're
# signing up with SSO and no password is required), set
# the password field to `None` (Which causes Django to
# create an unusable password).
password = None
if realm_creation:
string_id = form.cleaned_data['realm_subdomain']
realm_name = form.cleaned_data['realm_name']
realm = do_create_realm(string_id, realm_name)
setup_realm_internal_bots(realm)
assert (realm is not None)
full_name = form.cleaned_data['full_name']
short_name = email_to_username(email)
default_stream_group_names = request.POST.getlist(
'default_stream_group')
default_stream_groups = lookup_default_stream_groups(
default_stream_group_names, realm)
timezone = ""
if 'timezone' in request.POST and request.POST[
'timezone'] in get_all_timezones():
timezone = request.POST['timezone']
if 'source_realm' in request.POST and request.POST[
"source_realm"] != "on":
source_profile = get_source_profile(email,
request.POST["source_realm"])
else:
source_profile = None
if not realm_creation:
try:
existing_user_profile = get_user_by_delivery_email(
email, realm) # type: Optional[UserProfile]
except UserProfile.DoesNotExist:
existing_user_profile = None
else:
existing_user_profile = None
user_profile = None # type: Optional[UserProfile]
return_data = {} # type: Dict[str, bool]
if ldap_auth_enabled(realm):
# If the user was authenticated using an external SSO
# mechanism like Google or GitHub auth, then authentication
# will have already been done before creating the
# PreregistrationUser object with password_required=False, and
# so we don't need to worry about passwords.
#
# If instead the realm is using EmailAuthBackend, we will
# set their password above.
#
# But if the realm is using LDAPAuthBackend, we need to verify
# their LDAP password (which will, as a side effect, create
# the user account) here using authenticate.
# pregeg_user.realm_creation carries the information about whether
# we're in realm creation mode, and the ldap flow will handle
# that and create the user with the appropriate parameters.
user_profile = authenticate(request,
username=email,
password=password,
realm=realm,
prereg_user=prereg_user,
return_data=return_data)
if user_profile is None:
can_use_different_backend = email_auth_enabled(
realm) or any_social_backend_enabled(realm)
if settings.LDAP_APPEND_DOMAIN:
# In LDAP_APPEND_DOMAIN configurations, we don't allow making a non-ldap account
# if the email matches the ldap domain.
can_use_different_backend = can_use_different_backend and (
not email_belongs_to_ldap(realm, email))
if return_data.get(
"no_matching_ldap_user") and can_use_different_backend:
# If both the LDAP and Email or Social auth backends are
# enabled, and there's no matching user in the LDAP
# directory then the intent is to create a user in the
# realm with their email outside the LDAP organization
# (with e.g. a password stored in the Zulip database,
# not LDAP). So we fall through and create the new
# account.
pass
else:
# TODO: This probably isn't going to give a
# user-friendly error message, but it doesn't
# particularly matter, because the registration form
# is hidden for most users.
return HttpResponseRedirect(
reverse('django.contrib.auth.views.login') +
'?email=' + urllib.parse.quote_plus(email))
elif not realm_creation:
# Since we'll have created a user, we now just log them in.
return login_and_go_to_home(request, user_profile)
else:
# With realm_creation=True, we're going to return further down,
# after finishing up the creation process.
pass
if existing_user_profile is not None and existing_user_profile.is_mirror_dummy:
user_profile = existing_user_profile
do_activate_user(user_profile)
do_change_password(user_profile, password)
do_change_full_name(user_profile, full_name, user_profile)
do_set_user_display_setting(user_profile, 'timezone', timezone)
# TODO: When we clean up the `do_activate_user` code path,
# make it respect invited_as_admin / is_realm_admin.
if user_profile is None:
user_profile = do_create_user(
email,
password,
realm,
full_name,
short_name,
prereg_user=prereg_user,
is_realm_admin=is_realm_admin,
is_guest=is_guest,
tos_version=settings.TOS_VERSION,
timezone=timezone,
newsletter_data={"IP": request.META['REMOTE_ADDR']},
default_stream_groups=default_stream_groups,
source_profile=source_profile,
realm_creation=realm_creation)
if realm_creation:
bulk_add_subscriptions([realm.signup_notifications_stream],
[user_profile])
send_initial_realm_messages(realm)
# Because for realm creation, registration happens on the
# root domain, we need to log them into the subdomain for
# their new realm.
return redirect_and_log_into_subdomain(realm, full_name, email)
# This dummy_backend check below confirms the user is
# authenticating to the correct subdomain.
auth_result = authenticate(username=user_profile.delivery_email,
realm=realm,
return_data=return_data,
use_dummy_backend=True)
if return_data.get('invalid_subdomain'):
# By construction, this should never happen.
logging.error("Subdomain mismatch in registration %s: %s" % (
realm.subdomain,
user_profile.delivery_email,
))
return redirect('/')
return login_and_go_to_home(request, auth_result)
return render(
request,
'zerver/register.html',
context={
'form': form,
'email': email,
'key': key,
'full_name': request.session.get('authenticated_full_name', None),
'lock_name': name_validated and name_changes_disabled(realm),
# password_auth_enabled is normally set via our context processor,
# but for the registration form, there is no logged in user yet, so
# we have to set it here.
'creating_new_team': realm_creation,
'password_required': password_auth_enabled(realm)
and password_required,
'require_ldap_password': require_ldap_password,
'password_auth_enabled': password_auth_enabled(realm),
'root_domain_available': is_root_domain_available(),
'default_stream_groups': get_default_stream_groups(realm),
'accounts': get_accounts_for_email(email),
'MAX_REALM_NAME_LENGTH': str(Realm.MAX_REALM_NAME_LENGTH),
'MAX_NAME_LENGTH': str(UserProfile.MAX_NAME_LENGTH),
'MAX_PASSWORD_LENGTH': str(form.MAX_PASSWORD_LENGTH),
'MAX_REALM_SUBDOMAIN_LENGTH': str(Realm.MAX_REALM_SUBDOMAIN_LENGTH)
})
def accounts_register(
request: HttpRequest,
key: str = REQ(default=""),
timezone: str = REQ(default="", converter=to_timezone_or_empty),
from_confirmation: Optional[str] = REQ(default=None),
form_full_name: Optional[str] = REQ("full_name", default=None),
source_realm_id: Optional[int] = REQ(
default=None, converter=to_converted_or_fallback(to_non_negative_int, None)
),
) -> HttpResponse:
try:
prereg_user = check_prereg_key(request, key)
except ConfirmationKeyException as e:
return render_confirmation_key_error(request, e)
email = prereg_user.email
realm_creation = prereg_user.realm_creation
password_required = prereg_user.password_required
role = prereg_user.invited_as
if realm_creation:
role = UserProfile.ROLE_REALM_OWNER
try:
validators.validate_email(email)
except ValidationError:
return render(request, "zerver/invalid_email.html", context={"invalid_email": True})
if realm_creation:
# For creating a new realm, there is no existing realm or domain
realm = None
else:
assert prereg_user.realm is not None
if get_subdomain(request) != prereg_user.realm.string_id:
return render_confirmation_key_error(
request, ConfirmationKeyException(ConfirmationKeyException.DOES_NOT_EXIST)
)
realm = prereg_user.realm
try:
email_allowed_for_realm(email, realm)
except DomainNotAllowedForRealmError:
return render(
request,
"zerver/invalid_email.html",
context={"realm_name": realm.name, "closed_domain": True},
)
except DisposableEmailError:
return render(
request,
"zerver/invalid_email.html",
context={"realm_name": realm.name, "disposable_emails_not_allowed": True},
)
except EmailContainsPlusError:
return render(
request,
"zerver/invalid_email.html",
context={"realm_name": realm.name, "email_contains_plus": True},
)
if realm.deactivated:
# The user is trying to register for a deactivated realm. Advise them to
# contact support.
return redirect_to_deactivation_notice()
try:
validate_email_not_already_in_realm(realm, email)
except ValidationError:
return redirect_to_email_login_url(email)
if settings.BILLING_ENABLED:
try:
check_spare_licenses_available_for_registering_new_user(realm, email)
except LicenseLimitError:
return render(request, "zerver/no_spare_licenses.html")
name_validated = False
require_ldap_password = False
if from_confirmation:
try:
del request.session["authenticated_full_name"]
except KeyError:
pass
ldap_full_name = None
if settings.POPULATE_PROFILE_VIA_LDAP:
# If the user can be found in LDAP, we'll take the full name from the directory,
# and further down create a form pre-filled with it.
for backend in get_backends():
if isinstance(backend, LDAPBackend):
try:
ldap_username = backend.django_to_ldap_username(email)
except ZulipLDAPExceptionNoMatchingLDAPUser:
logging.warning("New account email %s could not be found in LDAP", email)
break
# Note that this `ldap_user` object is not a
# `ZulipLDAPUser` with a `Realm` attached, so
# calling `.populate_user()` on it will crash.
# This is OK, since we're just accessing this user
# to extract its name.
#
# TODO: We should potentially be accessing this
# user to sync its initial avatar and custom
# profile fields as well, if we indeed end up
# creating a user account through this flow,
# rather than waiting until `manage.py
# sync_ldap_user_data` runs to populate it.
ldap_user = _LDAPUser(backend, ldap_username)
try:
ldap_full_name = backend.get_mapped_name(ldap_user)
except TypeError:
break
# Check whether this is ZulipLDAPAuthBackend,
# which is responsible for authentication and
# requires that LDAP accounts enter their LDAP
# password to register, or ZulipLDAPUserPopulator,
# which just populates UserProfile fields (no auth).
require_ldap_password = isinstance(backend, ZulipLDAPAuthBackend)
break
if ldap_full_name:
# We don't use initial= here, because if the form is
# complete (that is, no additional fields need to be
# filled out by the user) we want the form to validate,
# so they can be directly registered without having to
# go through this interstitial.
form = RegistrationForm({"full_name": ldap_full_name}, realm_creation=realm_creation)
request.session["authenticated_full_name"] = ldap_full_name
name_validated = True
elif realm is not None and realm.is_zephyr_mirror_realm:
# For MIT users, we can get an authoritative name from Hesiod.
# Technically we should check that this is actually an MIT
# realm, but we can cross that bridge if we ever get a non-MIT
# zephyr mirroring realm.
hesiod_name = compute_mit_user_fullname(email)
form = RegistrationForm(
initial={"full_name": hesiod_name if "@" not in hesiod_name else ""},
realm_creation=realm_creation,
)
name_validated = True
elif prereg_user.full_name:
if prereg_user.full_name_validated:
request.session["authenticated_full_name"] = prereg_user.full_name
name_validated = True
form = RegistrationForm(
{"full_name": prereg_user.full_name}, realm_creation=realm_creation
)
else:
form = RegistrationForm(
initial={"full_name": prereg_user.full_name}, realm_creation=realm_creation
)
elif form_full_name is not None:
form = RegistrationForm(
initial={"full_name": form_full_name},
realm_creation=realm_creation,
)
else:
form = RegistrationForm(realm_creation=realm_creation)
else:
postdata = request.POST.copy()
if name_changes_disabled(realm):
# If we populate profile information via LDAP and we have a
# verified name from you on file, use that. Otherwise, fall
# back to the full name in the request.
try:
postdata.update(full_name=request.session["authenticated_full_name"])
name_validated = True
except KeyError:
pass
form = RegistrationForm(postdata, realm_creation=realm_creation)
if not (password_auth_enabled(realm) and password_required):
form["password"].field.required = False
if form.is_valid():
if password_auth_enabled(realm) and form["password"].field.required:
password = form.cleaned_data["password"]
else:
# If the user wasn't prompted for a password when
# completing the authentication form (because they're
# signing up with SSO and no password is required), set
# the password field to `None` (Which causes Django to
# create an unusable password).
password = None
if realm_creation:
string_id = form.cleaned_data["realm_subdomain"]
realm_name = form.cleaned_data["realm_name"]
realm_type = form.cleaned_data["realm_type"]
is_demo_org = form.cleaned_data["is_demo_organization"]
realm = do_create_realm(
string_id, realm_name, org_type=realm_type, is_demo_organization=is_demo_org
)
setup_realm_internal_bots(realm)
assert realm is not None
full_name = form.cleaned_data["full_name"]
enable_marketing_emails = form.cleaned_data["enable_marketing_emails"]
default_stream_group_names = request.POST.getlist("default_stream_group")
default_stream_groups = lookup_default_stream_groups(default_stream_group_names, realm)
if source_realm_id is not None:
# Non-integer realm_id values like "string" are treated
# like the "Do not import" value of "".
source_profile: Optional[UserProfile] = get_source_profile(email, source_realm_id)
else:
source_profile = None
if not realm_creation:
try:
existing_user_profile: Optional[UserProfile] = get_user_by_delivery_email(
email, realm
)
except UserProfile.DoesNotExist:
existing_user_profile = None
else:
existing_user_profile = None
user_profile: Optional[UserProfile] = None
return_data: Dict[str, bool] = {}
if ldap_auth_enabled(realm):
# If the user was authenticated using an external SSO
# mechanism like Google or GitHub auth, then authentication
# will have already been done before creating the
# PreregistrationUser object with password_required=False, and
# so we don't need to worry about passwords.
#
# If instead the realm is using EmailAuthBackend, we will
# set their password above.
#
# But if the realm is using LDAPAuthBackend, we need to verify
# their LDAP password (which will, as a side effect, create
# the user account) here using authenticate.
# pregeg_user.realm_creation carries the information about whether
# we're in realm creation mode, and the ldap flow will handle
# that and create the user with the appropriate parameters.
user_profile = authenticate(
request=request,
username=email,
password=password,
realm=realm,
prereg_user=prereg_user,
return_data=return_data,
)
if user_profile is None:
can_use_different_backend = email_auth_enabled(realm) or (
len(get_external_method_dicts(realm)) > 0
)
if settings.LDAP_APPEND_DOMAIN:
# In LDAP_APPEND_DOMAIN configurations, we don't allow making a non-LDAP account
# if the email matches the ldap domain.
can_use_different_backend = can_use_different_backend and (
not email_belongs_to_ldap(realm, email)
)
if return_data.get("no_matching_ldap_user") and can_use_different_backend:
# If both the LDAP and Email or Social auth backends are
# enabled, and there's no matching user in the LDAP
# directory then the intent is to create a user in the
# realm with their email outside the LDAP organization
# (with e.g. a password stored in the Zulip database,
# not LDAP). So we fall through and create the new
# account.
pass
else:
# TODO: This probably isn't going to give a
# user-friendly error message, but it doesn't
# particularly matter, because the registration form
# is hidden for most users.
view_url = reverse("login")
query = urlencode({"email": email})
redirect_url = append_url_query_string(view_url, query)
return HttpResponseRedirect(redirect_url)
elif not realm_creation:
# Since we'll have created a user, we now just log them in.
return login_and_go_to_home(request, user_profile)
else:
# With realm_creation=True, we're going to return further down,
# after finishing up the creation process.
pass
if existing_user_profile is not None and existing_user_profile.is_mirror_dummy:
user_profile = existing_user_profile
do_activate_mirror_dummy_user(user_profile, acting_user=user_profile)
do_change_password(user_profile, password)
do_change_full_name(user_profile, full_name, user_profile)
do_change_user_setting(user_profile, "timezone", timezone, acting_user=user_profile)
# TODO: When we clean up the `do_activate_mirror_dummy_user` code path,
# make it respect invited_as_admin / is_realm_admin.
if user_profile is None:
user_profile = do_create_user(
email,
password,
realm,
full_name,
prereg_user=prereg_user,
role=role,
tos_version=settings.TOS_VERSION,
timezone=timezone,
default_stream_groups=default_stream_groups,
source_profile=source_profile,
realm_creation=realm_creation,
acting_user=None,
enable_marketing_emails=enable_marketing_emails,
)
if realm_creation:
assert realm.signup_notifications_stream is not None
bulk_add_subscriptions(
realm, [realm.signup_notifications_stream], [user_profile], acting_user=None
)
send_initial_realm_messages(realm)
# Because for realm creation, registration happens on the
# root domain, we need to log them into the subdomain for
# their new realm.
return redirect_and_log_into_subdomain(
ExternalAuthResult(user_profile=user_profile, data_dict={"is_realm_creation": True})
)
# This dummy_backend check below confirms the user is
# authenticating to the correct subdomain.
auth_result = authenticate(
username=user_profile.delivery_email,
realm=realm,
return_data=return_data,
use_dummy_backend=True,
)
if return_data.get("invalid_subdomain"):
# By construction, this should never happen.
logging.error(
"Subdomain mismatch in registration %s: %s",
realm.subdomain,
user_profile.delivery_email,
)
return redirect("/")
return login_and_go_to_home(request, auth_result)
return render(
request,
"zerver/register.html",
context={
"form": form,
"email": email,
"key": key,
"full_name": request.session.get("authenticated_full_name", None),
"lock_name": name_validated and name_changes_disabled(realm),
# password_auth_enabled is normally set via our context processor,
# but for the registration form, there is no logged in user yet, so
# we have to set it here.
"creating_new_team": realm_creation,
"password_required": password_auth_enabled(realm) and password_required,
"require_ldap_password": require_ldap_password,
"password_auth_enabled": password_auth_enabled(realm),
"root_domain_available": is_root_domain_available(),
"default_stream_groups": [] if realm is None else get_default_stream_groups(realm),
"accounts": get_accounts_for_email(email),
"MAX_REALM_NAME_LENGTH": str(Realm.MAX_REALM_NAME_LENGTH),
"MAX_NAME_LENGTH": str(UserProfile.MAX_NAME_LENGTH),
"MAX_PASSWORD_LENGTH": str(form.MAX_PASSWORD_LENGTH),
"MAX_REALM_SUBDOMAIN_LENGTH": str(Realm.MAX_REALM_SUBDOMAIN_LENGTH),
"sorted_realm_types": sorted(
Realm.ORG_TYPES.values(), key=lambda d: d["display_order"]
),
},
)
def accounts_register(request):
# type: (HttpRequest) -> HttpResponse
key = request.POST['key']
confirmation = Confirmation.objects.get(confirmation_key=key)
prereg_user = confirmation.content_object
email = prereg_user.email
realm_creation = prereg_user.realm_creation
password_required = prereg_user.password_required
validators.validate_email(email)
if prereg_user.referred_by:
# If someone invited you, you are joining their realm regardless
# of your e-mail address.
realm = prereg_user.referred_by.realm
elif realm_creation:
# For creating a new realm, there is no existing realm or domain
realm = None
else:
realm = get_realm(get_subdomain(request))
if realm and not email_allowed_for_realm(email, realm):
return render(request,
"zerver/closed_realm.html",
context={"closed_domain_name": realm.name})
if realm and realm.deactivated:
# The user is trying to register for a deactivated realm. Advise them to
# contact support.
return redirect_to_deactivation_notice()
try:
validate_email_for_realm(realm, email)
except ValidationError:
return HttpResponseRedirect(
reverse('django.contrib.auth.views.login') + '?email=' +
urllib.parse.quote_plus(email))
name_validated = False
full_name = None
if request.POST.get('from_confirmation'):
try:
del request.session['authenticated_full_name']
except KeyError:
pass
if realm is not None and realm.is_zephyr_mirror_realm:
# For MIT users, we can get an authoritative name from Hesiod.
# Technically we should check that this is actually an MIT
# realm, but we can cross that bridge if we ever get a non-MIT
# zephyr mirroring realm.
hesiod_name = compute_mit_user_fullname(email)
form = RegistrationForm(initial={
'full_name':
hesiod_name if "@" not in hesiod_name else ""
},
realm_creation=realm_creation)
name_validated = True
elif settings.POPULATE_PROFILE_VIA_LDAP:
for backend in get_backends():
if isinstance(backend, LDAPBackend):
ldap_attrs = _LDAPUser(
backend, backend.django_to_ldap_username(email)).attrs
try:
ldap_full_name = ldap_attrs[
settings.AUTH_LDAP_USER_ATTR_MAP['full_name']][0]
request.session[
'authenticated_full_name'] = ldap_full_name
name_validated = True
# We don't use initial= here, because if the form is
# complete (that is, no additional fields need to be
# filled out by the user) we want the form to validate,
# so they can be directly registered without having to
# go through this interstitial.
form = RegistrationForm({'full_name': ldap_full_name},
realm_creation=realm_creation)
# FIXME: This will result in the user getting
# validation errors if they have to enter a password.
# Not relevant for ONLY_SSO, though.
break
except TypeError:
# Let the user fill out a name and/or try another backend
form = RegistrationForm(realm_creation=realm_creation)
elif 'full_name' in request.POST:
form = RegistrationForm(
initial={'full_name': request.POST.get('full_name')},
realm_creation=realm_creation)
else:
form = RegistrationForm(realm_creation=realm_creation)
else:
postdata = request.POST.copy()
if name_changes_disabled(realm):
# If we populate profile information via LDAP and we have a
# verified name from you on file, use that. Otherwise, fall
# back to the full name in the request.
try:
postdata.update(
{'full_name': request.session['authenticated_full_name']})
name_validated = True
except KeyError:
pass
form = RegistrationForm(postdata, realm_creation=realm_creation)
if not (password_auth_enabled(realm) and password_required):
form['password'].field.required = False
if form.is_valid():
if password_auth_enabled(realm):
password = form.cleaned_data['password']
else:
# SSO users don't need no passwords
password = None
if realm_creation:
string_id = form.cleaned_data['realm_subdomain']
realm_name = form.cleaned_data['realm_name']
realm = do_create_realm(string_id, realm_name)
setup_initial_streams(realm)
assert (realm is not None)
full_name = form.cleaned_data['full_name']
short_name = email_to_username(email)
default_stream_group_names = request.POST.getlist(
'default_stream_group')
default_stream_groups = lookup_default_stream_groups(
default_stream_group_names, realm)
timezone = u""
if 'timezone' in request.POST and request.POST[
'timezone'] in get_all_timezones():
timezone = request.POST['timezone']
try:
existing_user_profile = get_user_profile_by_email(email)
except UserProfile.DoesNotExist:
existing_user_profile = None
return_data = {} # type: Dict[str, bool]
if ldap_auth_enabled(realm):
# If the user was authenticated using an external SSO
# mechanism like Google or GitHub auth, then authentication
# will have already been done before creating the
# PreregistrationUser object with password_required=False, and
# so we don't need to worry about passwords.
#
# If instead the realm is using EmailAuthBackend, we will
# set their password above.
#
# But if the realm is using LDAPAuthBackend, we need to verify
# their LDAP password (which will, as a side effect, create
# the user account) here using authenticate.
auth_result = authenticate(request,
username=email,
password=password,
realm_subdomain=realm.subdomain,
return_data=return_data)
if auth_result is None:
# TODO: This probably isn't going to give a
# user-friendly error message, but it doesn't
# particularly matter, because the registration form
# is hidden for most users.
return HttpResponseRedirect(
reverse('django.contrib.auth.views.login') + '?email=' +
urllib.parse.quote_plus(email))
# Since we'll have created a user, we now just log them in.
return login_and_go_to_home(request, auth_result)
elif existing_user_profile is not None and existing_user_profile.is_mirror_dummy:
user_profile = existing_user_profile
do_activate_user(user_profile)
do_change_password(user_profile, password)
do_change_full_name(user_profile, full_name, user_profile)
do_set_user_display_setting(user_profile, 'timezone', timezone)
else:
user_profile = do_create_user(
email,
password,
realm,
full_name,
short_name,
prereg_user=prereg_user,
is_realm_admin=realm_creation,
tos_version=settings.TOS_VERSION,
timezone=timezone,
newsletter_data={"IP": request.META['REMOTE_ADDR']},
default_stream_groups=default_stream_groups)
if realm_creation:
setup_initial_private_stream(user_profile)
send_initial_realm_messages(realm)
if realm_creation:
# Because for realm creation, registration happens on the
# root domain, we need to log them into the subdomain for
# their new realm.
return redirect_and_log_into_subdomain(realm, full_name, email)
# This dummy_backend check below confirms the user is
# authenticating to the correct subdomain.
auth_result = authenticate(username=user_profile.email,
realm_subdomain=realm.subdomain,
return_data=return_data,
use_dummy_backend=True)
if return_data.get('invalid_subdomain'):
# By construction, this should never happen.
logging.error("Subdomain mismatch in registration %s: %s" % (
realm.subdomain,
user_profile.email,
))
return redirect('/')
return login_and_go_to_home(request, auth_result)
return render(
request,
'zerver/register.html',
context={
'form': form,
'email': email,
'key': key,
'full_name': request.session.get('authenticated_full_name', None),
'lock_name': name_validated and name_changes_disabled(realm),
# password_auth_enabled is normally set via our context processor,
# but for the registration form, there is no logged in user yet, so
# we have to set it here.
'creating_new_team': realm_creation,
'password_required': password_auth_enabled(realm)
and password_required,
'password_auth_enabled': password_auth_enabled(realm),
'root_domain_available': is_root_domain_available(),
'default_stream_groups': get_default_stream_groups(realm),
'MAX_REALM_NAME_LENGTH': str(Realm.MAX_REALM_NAME_LENGTH),
'MAX_NAME_LENGTH': str(UserProfile.MAX_NAME_LENGTH),
'MAX_PASSWORD_LENGTH': str(form.MAX_PASSWORD_LENGTH),
'MAX_REALM_SUBDOMAIN_LENGTH': str(Realm.MAX_REALM_SUBDOMAIN_LENGTH)
})
def accounts_register(request):
# type: (HttpRequest) -> HttpResponse
key = request.POST['key']
confirmation = Confirmation.objects.get(confirmation_key=key)
prereg_user = confirmation.content_object
email = prereg_user.email
realm_creation = prereg_user.realm_creation
try:
existing_user_profile = get_user_profile_by_email(email)
except UserProfile.DoesNotExist:
existing_user_profile = None
validators.validate_email(email)
# If OPEN_REALM_CREATION is enabled all user sign ups should go through the
# special URL with domain name so that REALM can be identified if multiple realms exist
unique_open_realm = get_unique_open_realm()
if unique_open_realm is not None:
realm = unique_open_realm
elif prereg_user.referred_by:
# If someone invited you, you are joining their realm regardless
# of your e-mail address.
realm = prereg_user.referred_by.realm
elif prereg_user.realm:
# You have a realm set, even though nobody referred you. This
# happens if you sign up through a special URL for an open realm.
realm = prereg_user.realm
elif realm_creation:
# For creating a new realm, there is no existing realm or domain
realm = None
elif settings.REALMS_HAVE_SUBDOMAINS:
realm = get_realm(get_subdomain(request))
else:
realm = get_realm_by_email_domain(email)
if realm and not email_allowed_for_realm(email, realm):
return render(request,
"zerver/closed_realm.html",
context={"closed_domain_name": realm.name})
if realm and realm.deactivated:
# The user is trying to register for a deactivated realm. Advise them to
# contact support.
return render(request,
"zerver/deactivated.html",
context={
"deactivated_domain_name": realm.name,
"zulip_administrator": settings.ZULIP_ADMINISTRATOR
})
try:
if existing_user_profile is not None and existing_user_profile.is_mirror_dummy:
# Mirror dummy users to be activated must be inactive
is_inactive(email)
else:
# Other users should not already exist at all.
user_email_is_unique(email)
except ValidationError:
return HttpResponseRedirect(
reverse('django.contrib.auth.views.login') + '?email=' +
urllib.parse.quote_plus(email))
name_validated = False
full_name = None
if request.POST.get('from_confirmation'):
try:
del request.session['authenticated_full_name']
except KeyError:
pass
if realm is not None and realm.is_zephyr_mirror_realm:
# For MIT users, we can get an authoritative name from Hesiod.
# Technically we should check that this is actually an MIT
# realm, but we can cross that bridge if we ever get a non-MIT
# zephyr mirroring realm.
hesiod_name = compute_mit_user_fullname(email)
form = RegistrationForm(
initial={
'full_name': hesiod_name if "@" not in hesiod_name else ""
})
name_validated = True
elif settings.POPULATE_PROFILE_VIA_LDAP:
for backend in get_backends():
if isinstance(backend, LDAPBackend):
ldap_attrs = _LDAPUser(
backend, backend.django_to_ldap_username(email)).attrs
try:
ldap_full_name = ldap_attrs[
settings.AUTH_LDAP_USER_ATTR_MAP['full_name']][0]
request.session[
'authenticated_full_name'] = ldap_full_name
name_validated = True
# We don't use initial= here, because if the form is
# complete (that is, no additional fields need to be
# filled out by the user) we want the form to validate,
# so they can be directly registered without having to
# go through this interstitial.
form = RegistrationForm({'full_name': ldap_full_name})
# FIXME: This will result in the user getting
# validation errors if they have to enter a password.
# Not relevant for ONLY_SSO, though.
break
except TypeError:
# Let the user fill out a name and/or try another backend
form = RegistrationForm()
elif 'full_name' in request.POST:
form = RegistrationForm(
initial={'full_name': request.POST.get('full_name')})
else:
form = RegistrationForm()
else:
postdata = request.POST.copy()
if name_changes_disabled(realm):
# If we populate profile information via LDAP and we have a
# verified name from you on file, use that. Otherwise, fall
# back to the full name in the request.
try:
postdata.update(
{'full_name': request.session['authenticated_full_name']})
name_validated = True
except KeyError:
pass
form = RegistrationForm(postdata)
if not password_auth_enabled(realm):
form['password'].field.required = False
if form.is_valid():
if password_auth_enabled(realm):
password = form.cleaned_data['password']
else:
# SSO users don't need no passwords
password = None
if realm_creation:
string_id = form.cleaned_data['realm_subdomain']
realm_name = form.cleaned_data['realm_name']
org_type = int(form.cleaned_data['realm_org_type'])
realm = do_create_realm(string_id, realm_name,
org_type=org_type)[0]
set_default_streams(realm, settings.DEFAULT_NEW_REALM_STREAMS)
full_name = form.cleaned_data['full_name']
short_name = email_to_username(email)
first_in_realm = len(
UserProfile.objects.filter(realm=realm, is_bot=False)) == 0
# FIXME: sanitize email addresses and fullname
if existing_user_profile is not None and existing_user_profile.is_mirror_dummy:
user_profile = existing_user_profile
do_activate_user(user_profile)
do_change_password(user_profile, password)
do_change_full_name(user_profile, full_name)
else:
user_profile = do_create_user(
email,
password,
realm,
full_name,
short_name,
prereg_user=prereg_user,
tos_version=settings.TOS_VERSION,
newsletter_data={"IP": request.META['REMOTE_ADDR']})
if first_in_realm:
do_change_is_admin(user_profile, True)
if realm_creation and settings.REALMS_HAVE_SUBDOMAINS:
# Because for realm creation, registration happens on the
# root domain, we need to log them into the subdomain for
# their new realm.
return redirect_and_log_into_subdomain(realm, full_name, email)
# This dummy_backend check below confirms the user is
# authenticating to the correct subdomain.
return_data = {} # type: Dict[str, bool]
auth_result = authenticate(username=user_profile.email,
realm_subdomain=realm.subdomain,
return_data=return_data,
use_dummy_backend=True)
if return_data.get('invalid_subdomain'):
# By construction, this should never happen.
logging.error("Subdomain mismatch in registration %s: %s" % (
realm.subdomain,
user_profile.email,
))
return redirect('/')
login(request, auth_result)
return HttpResponseRedirect(realm.uri +
reverse('zerver.views.home.home'))
return render(
request,
'zerver/register.html',
context={
'form': form,
'email': email,
'key': key,
'full_name': request.session.get('authenticated_full_name', None),
'lock_name': name_validated and name_changes_disabled(realm),
# password_auth_enabled is normally set via our context processor,
# but for the registration form, there is no logged in user yet, so
# we have to set it here.
'creating_new_team': realm_creation,
'realms_have_subdomains': settings.REALMS_HAVE_SUBDOMAINS,
'password_auth_enabled': password_auth_enabled(realm),
'MAX_REALM_NAME_LENGTH': str(Realm.MAX_REALM_NAME_LENGTH),
'MAX_NAME_LENGTH': str(UserProfile.MAX_NAME_LENGTH),
'MAX_PASSWORD_LENGTH': str(form.MAX_PASSWORD_LENGTH),
'MAX_REALM_SUBDOMAIN_LENGTH': str(Realm.MAX_REALM_SUBDOMAIN_LENGTH)
})
def accounts_register(request: HttpRequest) -> HttpResponse:
key = request.POST['key']
confirmation = Confirmation.objects.get(confirmation_key=key)
prereg_user = confirmation.content_object
email = prereg_user.email
realm_creation = prereg_user.realm_creation
password_required = prereg_user.password_required
is_realm_admin = prereg_user.invited_as_admin or realm_creation
try:
validators.validate_email(email)
except ValidationError:
return render(request, "zerver/invalid_email.html", context={"invalid_email": True})
if realm_creation:
# For creating a new realm, there is no existing realm or domain
realm = None
else:
realm = get_realm(get_subdomain(request))
if realm is None or realm != prereg_user.realm:
return render_confirmation_key_error(
request, ConfirmationKeyException(ConfirmationKeyException.DOES_NOT_EXIST))
try:
email_allowed_for_realm(email, realm)
except DomainNotAllowedForRealmError:
return render(request, "zerver/invalid_email.html",
context={"realm_name": realm.name, "closed_domain": True})
except DisposableEmailError:
return render(request, "zerver/invalid_email.html",
context={"realm_name": realm.name, "disposable_emails_not_allowed": True})
except EmailContainsPlusError:
return render(request, "zerver/invalid_email.html",
context={"realm_name": realm.name, "email_contains_plus": True})
if realm.deactivated:
# The user is trying to register for a deactivated realm. Advise them to
# contact support.
return redirect_to_deactivation_notice()
try:
validate_email_for_realm(realm, email)
except ValidationError: # nocoverage # We need to add a test for this.
return HttpResponseRedirect(reverse('django.contrib.auth.views.login') + '?email=' +
urllib.parse.quote_plus(email))
name_validated = False
full_name = None
if request.POST.get('from_confirmation'):
try:
del request.session['authenticated_full_name']
except KeyError:
pass
if realm is not None and realm.is_zephyr_mirror_realm:
# For MIT users, we can get an authoritative name from Hesiod.
# Technically we should check that this is actually an MIT
# realm, but we can cross that bridge if we ever get a non-MIT
# zephyr mirroring realm.
hesiod_name = compute_mit_user_fullname(email)
form = RegistrationForm(
initial={'full_name': hesiod_name if "@" not in hesiod_name else ""},
realm_creation=realm_creation)
name_validated = True
elif settings.POPULATE_PROFILE_VIA_LDAP:
for backend in get_backends():
if isinstance(backend, LDAPBackend):
try:
ldap_username = backend.django_to_ldap_username(email)
except ZulipLDAPException:
logging.warning("New account email %s could not be found in LDAP" % (email,))
form = RegistrationForm(realm_creation=realm_creation)
break
ldap_attrs = _LDAPUser(backend, ldap_username).attrs
try:
ldap_full_name = ldap_attrs[settings.AUTH_LDAP_USER_ATTR_MAP['full_name']][0]
request.session['authenticated_full_name'] = ldap_full_name
name_validated = True
# We don't use initial= here, because if the form is
# complete (that is, no additional fields need to be
# filled out by the user) we want the form to validate,
# so they can be directly registered without having to
# go through this interstitial.
form = RegistrationForm({'full_name': ldap_full_name},
realm_creation=realm_creation)
# FIXME: This will result in the user getting
# validation errors if they have to enter a password.
# Not relevant for ONLY_SSO, though.
break
except TypeError:
# Let the user fill out a name and/or try another backend
form = RegistrationForm(realm_creation=realm_creation)
elif 'full_name' in request.POST:
form = RegistrationForm(
initial={'full_name': request.POST.get('full_name')},
realm_creation=realm_creation
)
else:
form = RegistrationForm(realm_creation=realm_creation)
else:
postdata = request.POST.copy()
if name_changes_disabled(realm):
# If we populate profile information via LDAP and we have a
# verified name from you on file, use that. Otherwise, fall
# back to the full name in the request.
try:
postdata.update({'full_name': request.session['authenticated_full_name']})
name_validated = True
except KeyError:
pass
form = RegistrationForm(postdata, realm_creation=realm_creation)
if not (password_auth_enabled(realm) and password_required):
form['password'].field.required = False
if form.is_valid():
if password_auth_enabled(realm):
password = form.cleaned_data['password']
else:
# SSO users don't need no passwords
password = None
if realm_creation:
string_id = form.cleaned_data['realm_subdomain']
realm_name = form.cleaned_data['realm_name']
realm = do_create_realm(string_id, realm_name)
setup_initial_streams(realm)
setup_realm_internal_bots(realm)
assert(realm is not None)
full_name = form.cleaned_data['full_name']
short_name = email_to_username(email)
default_stream_group_names = request.POST.getlist('default_stream_group')
default_stream_groups = lookup_default_stream_groups(default_stream_group_names, realm)
timezone = ""
if 'timezone' in request.POST and request.POST['timezone'] in get_all_timezones():
timezone = request.POST['timezone']
if 'source_realm' in request.POST and request.POST["source_realm"] != "on":
source_profile = get_source_profile(email, request.POST["source_realm"])
else:
source_profile = None
if not realm_creation:
try:
existing_user_profile = get_user(email, realm) # type: Optional[UserProfile]
except UserProfile.DoesNotExist:
existing_user_profile = None
else:
existing_user_profile = None
return_data = {} # type: Dict[str, bool]
if ldap_auth_enabled(realm):
# If the user was authenticated using an external SSO
# mechanism like Google or GitHub auth, then authentication
# will have already been done before creating the
# PreregistrationUser object with password_required=False, and
# so we don't need to worry about passwords.
#
# If instead the realm is using EmailAuthBackend, we will
# set their password above.
#
# But if the realm is using LDAPAuthBackend, we need to verify
# their LDAP password (which will, as a side effect, create
# the user account) here using authenticate.
auth_result = authenticate(request,
username=email,
password=password,
realm=realm,
return_data=return_data)
if auth_result is not None:
# Since we'll have created a user, we now just log them in.
return login_and_go_to_home(request, auth_result)
if return_data.get("outside_ldap_domain") and email_auth_enabled(realm):
# If both the LDAP and Email auth backends are
# enabled, and the user's email is outside the LDAP
# domain, then the intent is to create a user in the
# realm with their email outside the LDAP organization
# (with e.g. a password stored in the Zulip database,
# not LDAP). So we fall through and create the new
# account.
#
# It's likely that we can extend this block to the
# Google and GitHub auth backends with no code changes
# other than here.
pass
else:
# TODO: This probably isn't going to give a
# user-friendly error message, but it doesn't
# particularly matter, because the registration form
# is hidden for most users.
return HttpResponseRedirect(reverse('django.contrib.auth.views.login') + '?email=' +
urllib.parse.quote_plus(email))
if existing_user_profile is not None and existing_user_profile.is_mirror_dummy:
user_profile = existing_user_profile
do_activate_user(user_profile)
do_change_password(user_profile, password)
do_change_full_name(user_profile, full_name, user_profile)
do_set_user_display_setting(user_profile, 'timezone', timezone)
# TODO: When we clean up the `do_activate_user` code path,
# make it respect invited_as_admin / is_realm_admin.
else:
user_profile = do_create_user(email, password, realm, full_name, short_name,
prereg_user=prereg_user, is_realm_admin=is_realm_admin,
tos_version=settings.TOS_VERSION,
timezone=timezone,
newsletter_data={"IP": request.META['REMOTE_ADDR']},
default_stream_groups=default_stream_groups,
source_profile=source_profile)
if realm_creation:
bulk_add_subscriptions([realm.signup_notifications_stream], [user_profile])
send_initial_realm_messages(realm)
# Because for realm creation, registration happens on the
# root domain, we need to log them into the subdomain for
# their new realm.
return redirect_and_log_into_subdomain(realm, full_name, email)
# This dummy_backend check below confirms the user is
# authenticating to the correct subdomain.
auth_result = authenticate(username=user_profile.email,
realm=realm,
return_data=return_data,
use_dummy_backend=True)
if return_data.get('invalid_subdomain'):
# By construction, this should never happen.
logging.error("Subdomain mismatch in registration %s: %s" % (
realm.subdomain, user_profile.email,))
return redirect('/')
return login_and_go_to_home(request, auth_result)
return render(
request,
'zerver/register.html',
context={'form': form,
'email': email,
'key': key,
'full_name': request.session.get('authenticated_full_name', None),
'lock_name': name_validated and name_changes_disabled(realm),
# password_auth_enabled is normally set via our context processor,
# but for the registration form, there is no logged in user yet, so
# we have to set it here.
'creating_new_team': realm_creation,
'password_required': password_auth_enabled(realm) and password_required,
'password_auth_enabled': password_auth_enabled(realm),
'root_domain_available': is_root_domain_available(),
'default_stream_groups': get_default_stream_groups(realm),
'accounts': get_accounts_for_email(email),
'MAX_REALM_NAME_LENGTH': str(Realm.MAX_REALM_NAME_LENGTH),
'MAX_NAME_LENGTH': str(UserProfile.MAX_NAME_LENGTH),
'MAX_PASSWORD_LENGTH': str(form.MAX_PASSWORD_LENGTH),
'MAX_REALM_SUBDOMAIN_LENGTH': str(Realm.MAX_REALM_SUBDOMAIN_LENGTH)
}
)
def accounts_register(request):
# type: (HttpRequest) -> HttpResponse
key = request.POST['key']
confirmation = Confirmation.objects.get(confirmation_key=key)
prereg_user = confirmation.content_object
email = prereg_user.email
realm_creation = prereg_user.realm_creation
try:
existing_user_profile = get_user_profile_by_email(email)
except UserProfile.DoesNotExist:
existing_user_profile = None
validators.validate_email(email)
# If OPEN_REALM_CREATION is enabled all user sign ups should go through the
# special URL with domain name so that REALM can be identified if multiple realms exist
unique_open_realm = get_unique_open_realm()
if unique_open_realm is not None:
realm = unique_open_realm
domain = realm.domain
elif prereg_user.referred_by:
# If someone invited you, you are joining their realm regardless
# of your e-mail address.
realm = prereg_user.referred_by.realm
domain = realm.domain
if not email_allowed_for_realm(email, realm):
return render_to_response("zerver/closed_realm.html", {"closed_domain_name": realm.name})
elif prereg_user.realm:
# You have a realm set, even though nobody referred you. This
# happens if you sign up through a special URL for an open
# realm.
domain = prereg_user.realm.domain
realm = get_realm(domain)
else:
domain = resolve_email_to_domain(email)
realm = get_realm(domain)
if realm and realm.deactivated:
# The user is trying to register for a deactivated realm. Advise them to
# contact support.
return render_to_response("zerver/deactivated.html",
{"deactivated_domain_name": realm.name,
"zulip_administrator": settings.ZULIP_ADMINISTRATOR})
try:
if existing_user_profile is not None and existing_user_profile.is_mirror_dummy:
# Mirror dummy users to be activated must be inactive
is_inactive(email)
else:
# Other users should not already exist at all.
user_email_is_unique(email)
except ValidationError:
return HttpResponseRedirect(reverse('django.contrib.auth.views.login') + '?email=' +
urllib.parse.quote_plus(email))
name_validated = False
full_name = None
if request.POST.get('from_confirmation'):
try:
del request.session['authenticated_full_name']
except KeyError:
pass
if realm is not None and realm.is_zephyr_mirror_realm and domain == "mit.edu":
# for MIT users, we can get an authoritative name from Hesiod
hesiod_name = compute_mit_user_fullname(email)
form = RegistrationForm(
initial={'full_name': hesiod_name if "@" not in hesiod_name else ""})
name_validated = True
elif settings.POPULATE_PROFILE_VIA_LDAP:
for backend in get_backends():
if isinstance(backend, LDAPBackend):
ldap_attrs = _LDAPUser(backend, backend.django_to_ldap_username(email)).attrs
try:
ldap_full_name = ldap_attrs[settings.AUTH_LDAP_USER_ATTR_MAP['full_name']][0]
request.session['authenticated_full_name'] = ldap_full_name
name_validated = True
# We don't use initial= here, because if the form is
# complete (that is, no additional fields need to be
# filled out by the user) we want the form to validate,
# so they can be directly registered without having to
# go through this interstitial.
form = RegistrationForm({'full_name': ldap_full_name})
# FIXME: This will result in the user getting
# validation errors if they have to enter a password.
# Not relevant for ONLY_SSO, though.
break
except TypeError:
# Let the user fill out a name and/or try another backend
form = RegistrationForm()
elif 'full_name' in request.POST:
form = RegistrationForm(
initial={'full_name': request.POST.get('full_name')}
)
else:
form = RegistrationForm()
else:
postdata = request.POST.copy()
if name_changes_disabled(realm):
# If we populate profile information via LDAP and we have a
# verified name from you on file, use that. Otherwise, fall
# back to the full name in the request.
try:
postdata.update({'full_name': request.session['authenticated_full_name']})
name_validated = True
except KeyError:
pass
form = RegistrationForm(postdata)
if not password_auth_enabled(realm):
form['password'].field.required = False
if form.is_valid():
if password_auth_enabled(realm):
password = form.cleaned_data['password']
else:
# SSO users don't need no passwords
password = None
if realm_creation:
string_id = form.cleaned_data['realm_subdomain']
realm_name = form.cleaned_data['realm_name']
org_type = int(form.cleaned_data['realm_org_type'])
domain = split_email_to_domain(email)
realm = do_create_realm(string_id, realm_name, org_type=org_type,
domain=domain)[0]
set_default_streams(realm, settings.DEFAULT_NEW_REALM_STREAMS)
full_name = form.cleaned_data['full_name']
short_name = email_to_username(email)
first_in_realm = len(UserProfile.objects.filter(realm=realm, is_bot=False)) == 0
# FIXME: sanitize email addresses and fullname
if existing_user_profile is not None and existing_user_profile.is_mirror_dummy:
try:
user_profile = existing_user_profile
do_activate_user(user_profile)
do_change_password(user_profile, password)
do_change_full_name(user_profile, full_name)
except UserProfile.DoesNotExist:
user_profile = do_create_user(email, password, realm, full_name, short_name,
prereg_user=prereg_user,
tos_version=settings.TOS_VERSION,
newsletter_data={"IP": request.META['REMOTE_ADDR']})
else:
user_profile = do_create_user(email, password, realm, full_name, short_name,
prereg_user=prereg_user,
tos_version=settings.TOS_VERSION,
newsletter_data={"IP": request.META['REMOTE_ADDR']})
if first_in_realm:
do_change_is_admin(user_profile, True)
if realm_creation and settings.REALMS_HAVE_SUBDOMAINS:
# Because for realm creation, registration happens on the
# root domain, we need to log them into the subdomain for
# their new realm.
return redirect_and_log_into_subdomain(realm, full_name, email)
# This dummy_backend check below confirms the user is
# authenticating to the correct subdomain.
return_data = {} # type: Dict[str, bool]
auth_result = authenticate(username=user_profile.email,
realm_subdomain=realm.subdomain,
return_data=return_data,
use_dummy_backend=True)
if return_data.get('invalid_subdomain'):
# By construction, this should never happen.
logging.error("Subdomain mismatch in registration %s: %s" % (
realm.subdomain, user_profile.email,))
return redirect('/')
login(request, auth_result)
return HttpResponseRedirect(realm.uri + reverse('zerver.views.home'))
return render_to_response('zerver/register.html',
{'form': form,
'company_name': domain,
'email': email,
'key': key,
'full_name': request.session.get('authenticated_full_name', None),
'lock_name': name_validated and name_changes_disabled(realm),
# password_auth_enabled is normally set via our context processor,
# but for the registration form, there is no logged in user yet, so
# we have to set it here.
'creating_new_team': realm_creation,
'realms_have_subdomains': settings.REALMS_HAVE_SUBDOMAINS,
'password_auth_enabled': password_auth_enabled(realm),
},
request=request)
def home_real(request):
# type: (HttpRequest) -> HttpResponse
# We need to modify the session object every two weeks or it will expire.
# This line makes reloading the page a sufficient action to keep the
# session alive.
request.session.modified = True
user_profile = request.user
# If a user hasn't signed the current Terms of Service, send them there
if settings.TERMS_OF_SERVICE is not None and settings.TOS_VERSION is not None and \
int(settings.TOS_VERSION.split('.')[0]) > user_profile.major_tos_version():
return accounts_accept_terms(request)
narrow = [] # type: List[List[Text]]
narrow_stream = None
narrow_topic = request.GET.get("topic")
if request.GET.get("stream"):
try:
narrow_stream_name = request.GET.get("stream")
(narrow_stream, ignored_rec,
ignored_sub) = access_stream_by_name(user_profile,
narrow_stream_name)
narrow = [["stream", narrow_stream.name]]
except Exception:
logging.exception("Narrow parsing")
if narrow_stream is not None and narrow_topic is not None:
narrow.append(["topic", narrow_topic])
register_ret = do_events_register(user_profile,
request.client,
apply_markdown=True,
narrow=narrow)
user_has_messages = (register_ret['max_message_id'] != -1)
# Reset our don't-spam-users-with-email counter since the
# user has since logged in
if user_profile.last_reminder is not None:
user_profile.last_reminder = None
user_profile.save(update_fields=["last_reminder"])
# Brand new users get the tutorial
needs_tutorial = settings.TUTORIAL_ENABLED and \
user_profile.tutorial_status != UserProfile.TUTORIAL_FINISHED
first_in_realm = realm_user_count(user_profile.realm) == 1
# If you are the only person in the realm and you didn't invite
# anyone, we'll continue to encourage you to do so on the frontend.
prompt_for_invites = first_in_realm and \
not PreregistrationUser.objects.filter(referred_by=user_profile).count()
if user_profile.pointer == -1 and user_has_messages:
# Put the new user's pointer at the bottom
#
# This improves performance, because we limit backfilling of messages
# before the pointer. It's also likely that someone joining an
# organization is interested in recent messages more than the very
# first messages on the system.
register_ret['pointer'] = register_ret['max_message_id']
user_profile.last_pointer_updater = request.session.session_key
if user_profile.pointer == -1:
latest_read = None
else:
try:
latest_read = UserMessage.objects.get(
user_profile=user_profile, message__id=user_profile.pointer)
except UserMessage.DoesNotExist:
# Don't completely fail if your saved pointer ID is invalid
logging.warning("%s has invalid pointer %s" %
(user_profile.email, user_profile.pointer))
latest_read = None
desktop_notifications_enabled = user_profile.enable_desktop_notifications
if narrow_stream is not None:
desktop_notifications_enabled = False
if user_profile.realm.notifications_stream:
notifications_stream = user_profile.realm.notifications_stream.name
else:
notifications_stream = ""
# Set default language and make it persist
default_language = register_ret['default_language']
url_lang = '/{}'.format(request.LANGUAGE_CODE)
if not request.path.startswith(url_lang):
translation.activate(default_language)
request.session[translation.LANGUAGE_SESSION_KEY] = default_language
# Pass parameters to the client-side JavaScript code.
# These end up in a global JavaScript Object named 'page_params'.
page_params = dict(
# Server settings.
share_the_love=settings.SHARE_THE_LOVE,
development_environment=settings.DEVELOPMENT,
debug_mode=settings.DEBUG,
test_suite=settings.TEST_SUITE,
poll_timeout=settings.POLL_TIMEOUT,
login_page=settings.HOME_NOT_LOGGED_IN,
server_uri=settings.SERVER_URI,
maxfilesize=settings.MAX_FILE_UPLOAD_SIZE,
server_generation=settings.SERVER_GENERATION,
use_websockets=settings.USE_WEBSOCKETS,
save_stacktraces=settings.SAVE_FRONTEND_STACKTRACES,
# realm data.
# TODO: Move all of these data to register_ret and pull from there
realm_uri=user_profile.realm.uri,
password_auth_enabled=password_auth_enabled(user_profile.realm),
domain=user_profile.realm.domain,
domains=list_of_domains_for_realm(user_profile.realm),
realm_icon_url=realm_icon_url(user_profile.realm),
realm_icon_source=user_profile.realm.icon_source,
name_changes_disabled=name_changes_disabled(user_profile.realm),
mandatory_topics=user_profile.realm.mandatory_topics,
show_digest_email=user_profile.realm.show_digest_email,
realm_presence_disabled=user_profile.realm.presence_disabled,
is_zephyr_mirror_realm=user_profile.realm.is_zephyr_mirror_realm,
# user_profile data.
# TODO: Move all of these data to register_ret and pull from there
fullname=user_profile.full_name,
email=user_profile.email,
enter_sends=user_profile.enter_sends,
user_id=user_profile.id,
is_admin=user_profile.is_realm_admin,
can_create_streams=user_profile.can_create_streams(),
autoscroll_forever=user_profile.autoscroll_forever,
default_desktop_notifications=user_profile.
default_desktop_notifications,
avatar_url=avatar_url(user_profile),
avatar_url_medium=avatar_url(user_profile, medium=True),
avatar_source=user_profile.avatar_source,
# Stream message notification settings:
stream_desktop_notifications_enabled=user_profile.
enable_stream_desktop_notifications,
stream_sounds_enabled=user_profile.enable_stream_sounds,
# Private message and @-mention notification settings:
desktop_notifications_enabled=desktop_notifications_enabled,
sounds_enabled=user_profile.enable_sounds,
enable_offline_email_notifications=user_profile.
enable_offline_email_notifications,
pm_content_in_desktop_notifications=user_profile.
pm_content_in_desktop_notifications,
enable_offline_push_notifications=user_profile.
enable_offline_push_notifications,
enable_online_push_notifications=user_profile.
enable_online_push_notifications,
enable_digest_emails=user_profile.enable_digest_emails,
# Realm foreign key data from register_ret.
# TODO: Rename these to match register_ret values.
subbed_info=register_ret['subscriptions'],
unsubbed_info=register_ret['unsubscribed'],
neversubbed_info=register_ret['never_subscribed'],
people_list=register_ret['realm_users'],
bot_list=register_ret['realm_bots'],
initial_pointer=register_ret['pointer'],
initial_presences=register_ret['presences'],
event_queue_id=register_ret['queue_id'],
# Misc. extra data.
have_initial_messages=user_has_messages,
initial_servertime=time.time(
), # Used for calculating relative presence age
default_language_name=get_language_name(
register_ret['default_language']),
language_list_dbl_col=get_language_list_for_templates(
register_ret['default_language']),
language_list=get_language_list(),
needs_tutorial=needs_tutorial,
first_in_realm=first_in_realm,
prompt_for_invites=prompt_for_invites,
notifications_stream=notifications_stream,
cross_realm_bots=list(get_cross_realm_dicts()),
unread_count=approximate_unread_count(user_profile),
furthest_read_time=sent_time_in_epoch_seconds(latest_read),
has_mobile_devices=num_push_devices_for_user(user_profile) > 0,
)
# These fields will be automatically copied from register_ret into
# page_params. It is a goal to move more of the page_params list
# into this sort of cleaner structure.
page_params_core_fields = [
'alert_words',
'attachments',
'default_language',
'last_event_id',
'left_side_userlist',
'max_message_id',
'muted_topics',
'realm_add_emoji_by_admins_only',
'realm_allow_message_editing',
'realm_authentication_methods',
'realm_create_stream_by_admins_only',
'realm_default_language',
'realm_default_streams',
'realm_emoji',
'realm_message_content_edit_limit_seconds',
'realm_name',
'realm_invite_by_admins_only',
'realm_invite_required',
'realm_filters',
'realm_restricted_to_domain',
'realm_waiting_period_threshold',
'referrals',
'twenty_four_hour_time',
'zulip_version',
]
for field_name in page_params_core_fields:
page_params[field_name] = register_ret[field_name]
if narrow_stream is not None:
# In narrow_stream context, initial pointer is just latest message
recipient = get_recipient(Recipient.STREAM, narrow_stream.id)
try:
initial_pointer = Message.objects.filter(
recipient=recipient).order_by('id').reverse()[0].id
except IndexError:
initial_pointer = -1
page_params["narrow_stream"] = narrow_stream.name
if narrow_topic is not None:
page_params["narrow_topic"] = narrow_topic
page_params["narrow"] = [
dict(operator=term[0], operand=term[1]) for term in narrow
]
page_params["max_message_id"] = initial_pointer
page_params["initial_pointer"] = initial_pointer
page_params["have_initial_messages"] = (initial_pointer != -1)
statsd.incr('views.home')
show_invites = True
# Some realms only allow admins to invite users
if user_profile.realm.invite_by_admins_only and not user_profile.is_realm_admin:
show_invites = False
product_name = "Zulip"
page_params['product_name'] = product_name
request._log_data['extra'] = "[%s]" % (register_ret["queue_id"], )
response = render_to_response('zerver/index.html', {
'user_profile':
user_profile,
'page_params':
simplejson.encoder.JSONEncoderForHTML().encode(page_params),
'nofontface':
is_buggy_ua(request.META.get("HTTP_USER_AGENT", "Unspecified")),
'avatar_url':
avatar_url(user_profile),
'show_debug':
settings.DEBUG and ('show_debug' in request.GET),
'pipeline':
settings.PIPELINE_ENABLED,
'show_invites':
show_invites,
'is_admin':
user_profile.is_realm_admin,
'show_webathena':
user_profile.realm.webathena_enabled,
'enable_feedback':
settings.ENABLE_FEEDBACK,
'embedded':
narrow_stream is not None,
'product_name':
product_name
},
request=request)
patch_cache_control(response,
no_cache=True,
no_store=True,
must_revalidate=True)
return response
def json_change_settings(
request: HttpRequest,
user_profile: UserProfile,
full_name: str = REQ(default=""),
email: str = REQ(default=""),
old_password: str = REQ(default=""),
new_password: str = REQ(default=""),
) -> HttpResponse:
if not (full_name or new_password or email):
return json_error(_("Please fill out all fields."))
if new_password != "":
return_data: Dict[str, Any] = {}
if email_belongs_to_ldap(user_profile.realm,
user_profile.delivery_email):
return json_error(_("Your Zulip password is managed in LDAP"))
try:
if not authenticate(
request,
username=user_profile.delivery_email,
password=old_password,
realm=user_profile.realm,
return_data=return_data,
):
return json_error(_("Wrong password!"))
except RateLimited as e:
assert e.secs_to_freedom is not None
secs_to_freedom = int(e.secs_to_freedom)
return json_error(
_("You're making too many attempts! Try again in {} seconds.").
format(secs_to_freedom), )
if not check_password_strength(new_password):
return json_error(_("New password is too weak!"))
do_change_password(user_profile, new_password)
# In Django 1.10, password changes invalidates sessions, see
# https://docs.djangoproject.com/en/1.10/topics/auth/default/#session-invalidation-on-password-change
# for details. To avoid this logging the user out of their own
# session (which would provide a confusing UX at best), we
# update the session hash here.
update_session_auth_hash(request, user_profile)
# We also save the session to the DB immediately to mitigate
# race conditions. In theory, there is still a race condition
# and to completely avoid it we will have to use some kind of
# mutex lock in `django.contrib.auth.get_user` where session
# is verified. To make that lock work we will have to control
# the AuthenticationMiddleware which is currently controlled
# by Django,
request.session.save()
result: Dict[str, Any] = {}
new_email = email.strip()
if user_profile.delivery_email != new_email and new_email != "":
if user_profile.realm.email_changes_disabled and not user_profile.is_realm_admin:
return json_error(
_("Email address changes are disabled in this organization."))
error = validate_email_is_valid(
new_email,
get_realm_email_validator(user_profile.realm),
)
if error:
return json_error(error)
try:
validate_email_not_already_in_realm(
user_profile.realm,
new_email,
verbose=False,
)
except ValidationError as e:
return json_error(e.message)
do_start_email_change_process(user_profile, new_email)
result["account_email"] = _(
"Check your email for a confirmation link. ")
if user_profile.full_name != full_name and full_name.strip() != "":
if name_changes_disabled(
user_profile.realm) and not user_profile.is_realm_admin:
# Failingly silently is fine -- they can't do it through the UI, so
# they'd have to be trying to break the rules.
pass
else:
# Note that check_change_full_name strips the passed name automatically
result["full_name"] = check_change_full_name(
user_profile, full_name, user_profile)
return json_success(result)
def home(request):
# type: (HttpRequest) -> HttpResponse
# We need to modify the session object every two weeks or it will expire.
# This line makes reloading the page a sufficient action to keep the
# session alive.
request.session.modified = True
user_profile = request.user
request._email = request.user.email
request.client = get_client("website")
# If a user hasn't signed the current Terms of Service, send them there
if settings.TERMS_OF_SERVICE is not None and settings.TOS_VERSION is not None and \
int(settings.TOS_VERSION.split('.')[0]) > user_profile.major_tos_version():
return accounts_accept_terms(request)
narrow = [] # type: List[List[text_type]]
narrow_stream = None
narrow_topic = request.GET.get("topic")
if request.GET.get("stream"):
try:
narrow_stream = get_stream(request.GET.get("stream"), user_profile.realm)
assert(narrow_stream is not None)
assert(narrow_stream.is_public())
narrow = [["stream", narrow_stream.name]]
except Exception:
logging.exception("Narrow parsing")
if narrow_topic is not None:
narrow.append(["topic", narrow_topic])
register_ret = do_events_register(user_profile, request.client,
apply_markdown=True, narrow=narrow)
user_has_messages = (register_ret['max_message_id'] != -1)
# Reset our don't-spam-users-with-email counter since the
# user has since logged in
if not user_profile.last_reminder is None:
user_profile.last_reminder = None
user_profile.save(update_fields=["last_reminder"])
# Brand new users get the tutorial
needs_tutorial = settings.TUTORIAL_ENABLED and \
user_profile.tutorial_status != UserProfile.TUTORIAL_FINISHED
first_in_realm = realm_user_count(user_profile.realm) == 1
# If you are the only person in the realm and you didn't invite
# anyone, we'll continue to encourage you to do so on the frontend.
prompt_for_invites = first_in_realm and \
not PreregistrationUser.objects.filter(referred_by=user_profile).count()
if user_profile.pointer == -1 and user_has_messages:
# Put the new user's pointer at the bottom
#
# This improves performance, because we limit backfilling of messages
# before the pointer. It's also likely that someone joining an
# organization is interested in recent messages more than the very
# first messages on the system.
register_ret['pointer'] = register_ret['max_message_id']
user_profile.last_pointer_updater = request.session.session_key
if user_profile.pointer == -1:
latest_read = None
else:
try:
latest_read = UserMessage.objects.get(user_profile=user_profile,
message__id=user_profile.pointer)
except UserMessage.DoesNotExist:
# Don't completely fail if your saved pointer ID is invalid
logging.warning("%s has invalid pointer %s" % (user_profile.email, user_profile.pointer))
latest_read = None
desktop_notifications_enabled = user_profile.enable_desktop_notifications
if narrow_stream is not None:
desktop_notifications_enabled = False
if user_profile.realm.notifications_stream:
notifications_stream = user_profile.realm.notifications_stream.name
else:
notifications_stream = ""
# Set default language and make it persist
default_language = register_ret['default_language']
url_lang = '/{}'.format(request.LANGUAGE_CODE)
if not request.path.startswith(url_lang):
translation.activate(default_language)
request.session[translation.LANGUAGE_SESSION_KEY] = default_language
# Pass parameters to the client-side JavaScript code.
# These end up in a global JavaScript Object named 'page_params'.
page_params = dict(
zulip_version = ZULIP_VERSION,
share_the_love = settings.SHARE_THE_LOVE,
development_environment = settings.DEVELOPMENT,
debug_mode = settings.DEBUG,
test_suite = settings.TEST_SUITE,
poll_timeout = settings.POLL_TIMEOUT,
login_page = settings.HOME_NOT_LOGGED_IN,
server_uri = settings.SERVER_URI,
realm_uri = user_profile.realm.uri,
maxfilesize = settings.MAX_FILE_UPLOAD_SIZE,
server_generation = settings.SERVER_GENERATION,
password_auth_enabled = password_auth_enabled(user_profile.realm),
have_initial_messages = user_has_messages,
subbed_info = register_ret['subscriptions'],
unsubbed_info = register_ret['unsubscribed'],
neversubbed_info = register_ret['never_subscribed'],
email_dict = register_ret['email_dict'],
people_list = register_ret['realm_users'],
bot_list = register_ret['realm_bots'],
initial_pointer = register_ret['pointer'],
initial_presences = register_ret['presences'],
initial_servertime = time.time(), # Used for calculating relative presence age
fullname = user_profile.full_name,
email = user_profile.email,
domain = user_profile.realm.domain,
domains = list_of_domains_for_realm(user_profile.realm),
realm_name = register_ret['realm_name'],
realm_invite_required = register_ret['realm_invite_required'],
realm_invite_by_admins_only = register_ret['realm_invite_by_admins_only'],
realm_create_stream_by_admins_only = register_ret['realm_create_stream_by_admins_only'],
realm_allow_message_editing = register_ret['realm_allow_message_editing'],
realm_message_content_edit_limit_seconds = register_ret['realm_message_content_edit_limit_seconds'],
realm_restricted_to_domain = register_ret['realm_restricted_to_domain'],
realm_default_language = register_ret['realm_default_language'],
enter_sends = user_profile.enter_sends,
user_id = user_profile.id,
left_side_userlist = register_ret['left_side_userlist'],
default_language = register_ret['default_language'],
default_language_name = get_language_name(register_ret['default_language']),
language_list_dbl_col = get_language_list_for_templates(register_ret['default_language']),
language_list = get_language_list(),
referrals = register_ret['referrals'],
realm_emoji = register_ret['realm_emoji'],
needs_tutorial = needs_tutorial,
first_in_realm = first_in_realm,
prompt_for_invites = prompt_for_invites,
notifications_stream = notifications_stream,
cross_realm_user_emails = list(get_cross_realm_users()),
# Stream message notification settings:
stream_desktop_notifications_enabled =
user_profile.enable_stream_desktop_notifications,
stream_sounds_enabled = user_profile.enable_stream_sounds,
# Private message and @-mention notification settings:
desktop_notifications_enabled = desktop_notifications_enabled,
sounds_enabled =
user_profile.enable_sounds,
enable_offline_email_notifications =
user_profile.enable_offline_email_notifications,
enable_offline_push_notifications =
user_profile.enable_offline_push_notifications,
enable_online_push_notifications =
user_profile.enable_online_push_notifications,
twenty_four_hour_time = register_ret['twenty_four_hour_time'],
enable_digest_emails = user_profile.enable_digest_emails,
event_queue_id = register_ret['queue_id'],
last_event_id = register_ret['last_event_id'],
max_message_id = register_ret['max_message_id'],
unread_count = approximate_unread_count(user_profile),
furthest_read_time = sent_time_in_epoch_seconds(latest_read),
save_stacktraces = settings.SAVE_FRONTEND_STACKTRACES,
alert_words = register_ret['alert_words'],
muted_topics = register_ret['muted_topics'],
realm_filters = register_ret['realm_filters'],
realm_default_streams = register_ret['realm_default_streams'],
is_admin = user_profile.is_realm_admin,
can_create_streams = user_profile.can_create_streams(),
name_changes_disabled = name_changes_disabled(user_profile.realm),
has_mobile_devices = num_push_devices_for_user(user_profile) > 0,
autoscroll_forever = user_profile.autoscroll_forever,
default_desktop_notifications = user_profile.default_desktop_notifications,
avatar_url = avatar_url(user_profile),
avatar_url_medium = avatar_url(user_profile, medium=True),
mandatory_topics = user_profile.realm.mandatory_topics,
show_digest_email = user_profile.realm.show_digest_email,
presence_disabled = user_profile.realm.presence_disabled,
is_zephyr_mirror_realm = user_profile.realm.is_zephyr_mirror_realm,
)
if narrow_stream is not None:
# In narrow_stream context, initial pointer is just latest message
recipient = get_recipient(Recipient.STREAM, narrow_stream.id)
try:
initial_pointer = Message.objects.filter(recipient=recipient).order_by('id').reverse()[0].id
except IndexError:
initial_pointer = -1
page_params["narrow_stream"] = narrow_stream.name
if narrow_topic is not None:
page_params["narrow_topic"] = narrow_topic
page_params["narrow"] = [dict(operator=term[0], operand=term[1]) for term in narrow]
page_params["max_message_id"] = initial_pointer
page_params["initial_pointer"] = initial_pointer
page_params["have_initial_messages"] = (initial_pointer != -1)
statsd.incr('views.home')
show_invites = True
# Some realms only allow admins to invite users
if user_profile.realm.invite_by_admins_only and not user_profile.is_realm_admin:
show_invites = False
product_name = "Zulip"
page_params['product_name'] = product_name
request._log_data['extra'] = "[%s]" % (register_ret["queue_id"],)
response = render_to_response('zerver/index.html',
{'user_profile': user_profile,
'page_params' : simplejson.encoder.JSONEncoderForHTML().encode(page_params),
'nofontface': is_buggy_ua(request.META.get("HTTP_USER_AGENT", "Unspecified")),
'avatar_url': avatar_url(user_profile),
'show_debug':
settings.DEBUG and ('show_debug' in request.GET),
'pipeline': settings.PIPELINE_ENABLED,
'show_invites': show_invites,
'is_admin': user_profile.is_realm_admin,
'show_webathena': user_profile.realm.webathena_enabled,
'enable_feedback': settings.ENABLE_FEEDBACK,
'embedded': narrow_stream is not None,
'product_name': product_name
},
request=request)
patch_cache_control(response, no_cache=True, no_store=True, must_revalidate=True)
return response
