class UsernamePermCheck(GenericRegistrationInspector): _domain = 'acct_mgr' _description = cleandoc_(""" Check for usernames referenced in the permission system. ''This check is bypassed for requests by an authenticated user.'' """) def validate_registration(self, req): if req.authname and req.authname != 'anonymous': return username = AccountManager(self.env).handle_username_casing( req.args.get('username', '').strip()) # NOTE: We can't use 'get_user_permissions(username)' here # as this always returns a list - even if the user doesn't exist. # In this case the permissions of "anonymous" are returned. # # Also note that we can't simply compare the result of # 'get_user_permissions(username)' to some known set of permission, # i.e. "get_user_permissions('authenticated') as this is always # false when 'username' is the name of an existing permission group. # # And again obfuscate whether an existing user or group name # was responsible for rejection of this username. for (perm_user, perm_action) in \ perm.PermissionSystem(self.env).get_all_permissions(): if perm_user.lower() == username.lower(): raise RegistrationError(tag_( "Another account or group already exists, who's name " "differs from %(username)s only by case or is identical.", username=tag.b(username)))
class BotTrapCheck(GenericRegistrationInspector): _domain = 'acct_mgr' _description = cleandoc_("""A collection of simple bot checks. ''This check is bypassed for requests by an authenticated user.'' """) reg_basic_token = Option( 'account-manager', 'register_basic_token', '', doc="A string required as input to pass verification.") def render_registration_fields(self, req, data): """Add a hidden text input field to the registration form, and a visible one with mandatory input as well, if token is configured. """ if self.reg_basic_token: # Preserve last input for editing on failure instead of typing # everything again. old_value = req.args.get('basic_token', '') # TRANSLATOR: Hint for visible bot trap registration input field. hint = tag.p(Markup( _("""Please type [%(token)s] as verification token, exactly replicating everything within the braces.""", token=tag.b(self.reg_basic_token))), class_='hint') insert = tag( tag.label( _("Parole:"), tag.input(type='text', name='basic_token', size=20, class_='textwidget', value=old_value)), hint) else: insert = None # TRANSLATOR: Registration form hint for hidden bot trap input field. insert = tag( insert, tag.input(type='hidden', name='sentinel', title=_("Better do not fill this field."))) return insert, data def validate_registration(self, req): if req.authname and req.authname != 'anonymous': return # Input must be an exact replication of the required token. basic_token = req.args.get('basic_token', '') # Unlike the former, the hidden bot-trap input field must stay empty. keep_empty = req.args.get('sentinel', '') if keep_empty or self.reg_basic_token and \ self.reg_basic_token != basic_token: raise RegistrationError(N_("Are you human? If so, try harder!"))
class RegExpCheck(GenericRegistrationInspector): _domain = 'acct_mgr' _description = cleandoc_(""" A collection of checks based on regular expressions. ''It depends on !EmailCheck being enabled too for using it's input field. Likewise email checking is bypassed, if account verification is disabled.'' """) username_regexp = Option('account-manager', 'username_regexp', r'(?i)^[A-Z0-9.\-_]{5,}$', doc=""" A validation regular expression describing new usernames. Define constraints for allowed user names corresponding to local naming policy. """) email_regexp = Option('account-manager', 'email_regexp', r'(?i)^[A-Z0-9._%+-]+@(?:[A-Z0-9-]+\.)+[A-Z0-9-]{2,63}$', doc="""A validation regular expression describing new account emails. Define constraints for a valid email address. A custom pattern can narrow or widen scope i.e. to accept UTF-8 characters. """) def validate_registration(self, req): acctmgr = AccountManager(self.env) username = acctmgr.handle_username_casing( req.args.get('username', '').strip()) if req.path_info != '/prefs' and self.username_regexp != '' and \ not re.match(self.username_regexp.strip(), username): raise RegistrationError(N_( "Username %s doesn't match local naming policy."), tag.b(username) ) email = req.args.get('email', '').strip() if self.env.is_enabled(EmailCheck) and \ self.env.is_enabled(EmailVerificationModule) and \ EmailVerificationModule(self.env).verify_email: if self.email_regexp.strip() != '' and \ not re.match(self.email_regexp.strip(), email) and \ not req.args.get('active'): raise RegistrationError(N_( "The email address specified appears to be invalid. " "Please specify a valid email address."))
class BasicCheck(GenericRegistrationInspector): _domain = 'acct_mgr' _description = cleandoc_(""" A collection of basic checks. This includes checking for * emptiness (no user input for username and/or password) * some blacklisted username characters * upper-cased usernames (reserved for Trac permission actions) * some reserved usernames * a username duplicate in configured password stores ''This check is bypassed for requests regarding user's own preferences.'' """) def validate_registration(self, req): if req.path_info == '/prefs': return acctmgr = AccountManager(self.env) username = acctmgr.handle_username_casing( req.args.get('username', '').strip()) if not username: raise RegistrationError(N_("Username cannot be empty.")) # Always exclude some special characters, i.e. # ':' can't be used in HtPasswdStore # '[' and ']' can't be used in SvnServePasswordStore blacklist = acctmgr.username_char_blacklist if contains_any(username, blacklist): pretty_blacklist = '' for c in blacklist: if pretty_blacklist == '': pretty_blacklist = tag(' \'', tag.b(c), '\'') else: pretty_blacklist = tag(pretty_blacklist, ', \'', tag.b(c), '\'') raise RegistrationError(N_( "The username must not contain any of these characters: %s"), tag.b(pretty_blacklist) ) # All upper-cased names are reserved for permission action names. if username.isupper(): raise RegistrationError(N_("A username with only upper-cased " "characters is not allowed.")) # Prohibit some user names, that are important for Trac and therefor # reserved, even if not in the permission store for some reason. if username.lower() in ['anonymous', 'authenticated']: raise RegistrationError(N_("Username %s is not allowed."), tag.b(username)) # NOTE: A user may exist in a password store but not in the permission # store. I.e. this happens, when the user (from the password store) # never logged in into Trac. So we have to perform this test here # and cannot just check for the user being in the permission store. # And better obfuscate whether an existing user or group name # was responsible for rejection of this user name. for store_user in acctmgr.get_users(): # Do it carefully by disregarding case. if store_user.lower() == username.lower(): raise RegistrationError(tag_( "Another account or group already exists, who's name " "differs from %(username)s only by case or is identical.", username=tag.b(username))) # Password consistency checks follow. password = req.args.get('password') if not password: raise RegistrationError(N_("Password cannot be empty.")) elif password != req.args.get('password_confirm'): raise RegistrationError(N_("The passwords must match."))
class EmailCheck(GenericRegistrationInspector): _domain = 'acct_mgr' _description = cleandoc_(""" A collection of checks for email addresses. ''This check is bypassed, if account verification is disabled.'' """) def render_registration_fields(self, req, data): """Add an email address text input field to the registration form.""" # Preserve last input for editing on failure instead of typing # everything again. old_value = req.args.get('email', '').strip() insert = tag.label(_("Email:"), tag.input(type='text', name='email', size=20, class_='textwidget', value=old_value)) # Deferred import required to aviod circular import dependencies. from acct_mgr.web_ui import AccountModule reset_password = AccountModule(self.env).reset_password_enabled verify_account = self.env.is_enabled(EmailVerificationModule) and \ EmailVerificationModule(self.env).verify_email if verify_account: # TRANSLATOR: Registration form hints for a mandatory input field. hint = tag.p(_(""" The email address is required for Trac to send you a verification token. """), class_='hint') if reset_password: hint = tag(hint, tag.p(_(""" Entering your email address will also enable you to reset your password if you ever forget it. """), class_='hint')) return tag(insert, hint), data elif reset_password: # TRANSLATOR: Registration form hint, if email input is optional. hint = tag.p(_("""Entering your email address will enable you to reset your password if you ever forget it."""), class_='hint') return dict(optional=tag(insert, hint)), data else: # Always return the email text input itself as optional field. return dict(optional=insert), data def validate_registration(self, req): email = req.args.get('email', '').strip() if self.env.is_enabled(EmailVerificationModule) and \ EmailVerificationModule(self.env).verify_email: # Initial configuration case. if not email and not req.args.get('active'): raise RegistrationError(N_( "You must specify a valid email address.") ) # User preferences case. elif req.path_info == '/prefs' and \ email == req.session.get('email'): return elif email_associated(self.env, email): raise RegistrationError(N_( "The email address specified is already in use. " "Please specify a different one.") )