def settings_page(): settings = forms.SettingsForm() settings.about.data = current_user.about if settings.is_submitted(): about = settings.about.data current_user.edit_settings(about) error = None password_form = forms.ChangePasswordForm() if password_form.is_submitted(): password = u.hash_password(password_form.password.data) new_password = password_form.new_password.data confirmation = password_form.confirmation.data if password != current_user.hashed_password: error = "Введен неверный пароль" if new_password != confirmation: error = "Пароль не совпадают" if len(new_password) < 5: error = "Новый пароль слишком короткий" if error is None: current_user.change_password(new_password) return flask.render_template("pages/profile/settings.html", user=current_user, settings=settings, password_form=password_form, error=error)
def validate(self): self.user = None rv = BaseForm.validate(self) if not rv: return False def fail(): self.password.errors.append('Invalid username or password.') return False user = User.query.filter(User.name == self.username.data).first() if not user: compare_digest(dummy_password, hash_password(self.password.data, 'the cake is a lie!')) return fail() if not compare_digest(user.password, hash_password(self.password.data, user.salt)): return fail() if not user.active: self.username.errors.append('Account is disabled.') return False self.user = user return True
def wrapper(db, *args, **kwargs): user = User() user.active = active user.name = username user.password = password if password else username user.role = role user.email = email if email else '{}@cyber.cyber'.format(username) user.salt = salt if salt else random_string() user.password = hash_password(user.password, user.salt) db.session.add(user) db.session.commit() func(db=db, *args, **kwargs)
def validate(self): self.user = None rv = BaseForm.validate(self) if not rv: return False def fail(): self.password.errors.append(ERROR_INVALID_USERNAME_PASSWORD) return False user = User.query.filter(User.name == self.username.data).first() if not user: compare_digest( dummy_password, hash_password(self.password.data, 'the cake is a lie!')) return fail() if not compare_digest(user.password, hash_password(self.password.data, user.salt)): return fail() if not user.active: self.username.errors.append(ERROR_ACCOUNT_DISABLED) return False self.user = user return True
def edit_user(username): own_user = username == current_user.name if not current_user.role.is_administrator and not own_user: forbidden() user = User.query.filter_by(name=username).first() if not user: return not_found() form = UserForm(edit=True) if not form.is_submitted(): form.username.data = user.name form.email.data = user.email form.role.data = user.role.name form.active.data = user.active if not form.validate_on_submit(): return render_template('admin/form/user.html', title='Edit {}'.format(username), form=form, User=User, random_password=True, password_length={'min': TRACKER_PASSWORD_LENGTH_MIN, 'max': TRACKER_PASSWORD_LENGTH_MAX}) active_admins = User.query.filter_by(active=True, role=UserRole.administrator).count() if user.id == current_user.id and 1 == active_admins and not form.active.data: return forbidden() user.name = form.username.data user.email = form.email.data user.role = UserRole.fromstring(form.role.data) if form.random_password.data: form.password.data = random_string() if 0 != len(form.password.data): user.salt = random_string() user.password = hash_password(form.password.data, user.salt) user.active = form.active.data user_invalidate(user) db.session.commit() flash_password = '' if form.random_password.data: flash_password = '******'.format(form.password.data) flash('Edited user {}{}'.format(user.name, flash_password)) return redirect('/user')
def edit_own_user_profile(): form = UserPasswordForm() if not form.validate_on_submit(): return render_template('form/profile.html', title='Edit profile', form=form, password_length={ 'min': TRACKER_PASSWORD_LENGTH_MIN, 'max': TRACKER_PASSWORD_LENGTH_MAX }) user = current_user user.salt = random_string() user.password = hash_password(form.password.data, user.salt) db.session.commit() flash('Profile saved') return redirect('/')
def validate(self): rv = BaseForm.validate(self) if not rv: return False if current_user.name in self.password.data: self.password.errors.append( 'Password must not contain the username.') return False if self.password.data != self.password.data: self.password_repeat.errors.append('Repeated password mismatches.') return False if not compare_digest( current_user.password, hash_password(self.password_current.data, current_user.salt)): self.password_current.errors.append('Current password incorrect.') return False return True
def validate(self): rv = BaseForm.validate(self) if not rv: return False if current_user.name in self.password.data: self.password.errors.append(ERROR_PASSWORD_CONTAINS_USERNAME) return False if self.password.data != self.password_repeat.data: self.password_repeat.errors.append( ERROR_PASSWORD_REPEAT_MISMATCHES) return False if not compare_digest( current_user.password, hash_password(self.password_current.data, current_user.salt)): self.password_current.errors.append(ERROR_PASSWORD_INCORRECT) return False return True
def create_user(): form = UserForm() if not form.validate_on_submit(): return render_template('admin/form/user.html', title='Create user', form=form, User=User, password_length={'min': TRACKER_PASSWORD_LENGTH_MIN, 'max': TRACKER_PASSWORD_LENGTH_MAX}) password = random_string() if not form.password.data else form.password.data salt = random_string() user = db.create(User, name=form.username.data, email=form.email.data, salt=salt, password=hash_password(password, salt), role=UserRole.fromstring(form.role.data), active=form.active.data) db.session.commit() flash('Created user {} with password {}'.format(user.name, password)) return redirect('/user')
from .base import BaseForm from config import TRACKER_PASSWORD_LENGTH_MIN, TRACKER_PASSWORD_LENGTH_MAX from app.model.user import User from app.user import hash_password, random_string from wtforms import StringField, PasswordField, SubmitField from wtforms.validators import DataRequired, Length from hmac import compare_digest ERROR_INVALID_USERNAME_PASSWORD = '******' ERROR_ACCOUNT_DISABLED = 'Account is disabled.' dummy_password = hash_password(random_string(), random_string()) class LoginForm(BaseForm): username = StringField( u'Username', validators=[DataRequired(), Length(max=User.NAME_LENGTH)]) password = PasswordField(u'Password', validators=[ DataRequired(), Length(min=TRACKER_PASSWORD_LENGTH_MIN, max=TRACKER_PASSWORD_LENGTH_MAX) ]) login = SubmitField(u'login') def validate(self): self.user = None rv = BaseForm.validate(self) if not rv: return False