def _validate_request(request):
"""
Check that the passed request is appropriate for proceeding with account
claim. Asserts that:
- the 'claim' feature is toggled on
- no-one is logged in
- the claim token is provided and authentic
- the user referred to in the token exists
- the user referred to in the token has not already claimed their account
and raises for redirect or 404 otherwise.
"""
if not request.feature('claim'):
raise exc.HTTPNotFound()
# If signed in, redirect to stream
if request.authenticated_userid is not None:
_perform_logged_in_redirect(request)
payload = _validate_token(request)
if payload is None:
raise exc.HTTPNotFound()
user = User.get_by_userid(request.domain, payload['userid'])
if user is None:
log.warn('got claim token with invalid userid=%r', payload['userid'])
raise exc.HTTPNotFound()
# User already has a password? Claimed already.
if user.password:
_perform_already_claimed_redirect(request)
return user
def edit_profile(self):
"""Handle POST payload from profile update form."""
if self.request.method != 'POST':
return httpexceptions.HTTPMethodNotAllowed()
# Nothing to do here for non logged-in users
if self.request.authenticated_userid is None:
return httpexceptions.HTTPUnauthorized()
err, appstruct = validate_form(self.form, self.request.POST.items())
if err is not None:
return err
user = User.get_by_userid(self.request.domain,
self.request.authenticated_userid)
response = {'model': {'email': user.email}}
# We allow updating subscriptions without validating a password
subscriptions = appstruct.get('subscriptions')
if subscriptions:
data = json.loads(subscriptions)
err = _update_subscription_data(self.request, data)
if err is not None:
return err
return response
# Any updates to fields below this point require password validation.
#
# `pwd` is the current password
# `password` (used below) is optional, and is the new password
#
if not User.validate_user(user, appstruct.get('pwd')):
return {'errors': {'pwd': _('Invalid password')}, 'code': 401}
email = appstruct.get('email')
if email:
email_user = User.get_by_email(email)
if email_user:
if email_user.id != user.id:
return {
'errors': {
'pwd': _('That email is already used')
},
}
response['model']['email'] = user.email = email
password = appstruct.get('password')
if password:
user.password = password
return response
def edit_profile(self):
"""Handle POST payload from profile update form."""
if self.request.method != 'POST':
return httpexceptions.HTTPMethodNotAllowed()
# Nothing to do here for non logged-in users
if self.request.authenticated_userid is None:
return httpexceptions.HTTPUnauthorized()
err, appstruct = validate_form(self.form, self.request.POST.items())
if err is not None:
return err
user = User.get_by_userid(
self.request.domain, self.request.authenticated_userid)
response = {'model': {'email': user.email}}
# We allow updating subscriptions without validating a password
subscriptions = appstruct.get('subscriptions')
if subscriptions:
data = json.loads(subscriptions)
err = _update_subscription_data(self.request, data)
if err is not None:
return err
return response
# Any updates to fields below this point require password validation.
#
# `pwd` is the current password
# `password` (used below) is optional, and is the new password
#
if not User.validate_user(user, appstruct.get('pwd')):
return {'errors': {'pwd': _('Invalid password')}, 'code': 401}
email = appstruct.get('email')
if email:
email_user = User.get_by_email(email)
if email_user:
if email_user.id != user.id:
return {
'errors': {'pwd': _('That email is already used')},
}
response['model']['email'] = user.email = email
password = appstruct.get('password')
if password:
user.password = password
return response
def profile(self):
"""
Return a serialisation of the user's profile.
For use by the frontend. Includes current email and subscriptions data.
"""
request = self.request
userid = request.authenticated_userid
model = {}
if userid:
model["email"] = User.get_by_userid(request.domain, userid).email
if request.feature('notification'):
model['subscriptions'] = Subscriptions.get_subscriptions_for_uri(
userid)
return {'model': model}
def profile(self):
"""
Return a serialisation of the user's profile.
For use by the frontend. Includes current email and subscriptions data.
"""
request = self.request
userid = request.authenticated_userid
model = {}
if userid:
model["email"] = User.get_by_userid(request.domain, userid).email
if request.feature('notification'):
model['subscriptions'] = Subscriptions.get_subscriptions_for_uri(
userid)
return {'model': model}
def disable_user(self):
"""Disable the user by setting a random password."""
if self.request.authenticated_userid is None:
return httpexceptions.HTTPUnauthorized()
err, appstruct = validate_form(self.form, self.request.POST.items())
if err is not None:
return err
user = User.get_by_userid(
self.request.domain, self.request.authenticated_userid)
if User.validate_user(user, appstruct['pwd']): # Password check.
# TODO: maybe have an explicit disabled flag in the status
user.password = User.generate_random_password()
self.request.session.flash(_('Account disabled.'), 'success')
return {}
else:
return dict(errors={'pwd': _('Invalid password')}, code=401)
def disable_user(self):
"""Disable the user by setting a random password."""
if self.request.authenticated_userid is None:
return httpexceptions.HTTPUnauthorized()
err, appstruct = validate_form(self.form, self.request.POST.items())
if err is not None:
return err
user = User.get_by_userid(self.request.domain,
self.request.authenticated_userid)
if User.validate_user(user, appstruct['pwd']): # Password check.
# TODO: maybe have an explicit disabled flag in the status
user.password = User.generate_random_password()
self.request.session.flash(_('Account disabled.'), 'success')
return {}
else:
return dict(errors={'pwd': _('Invalid password')}, code=401)