def setup_two_view(self):
if (PROP.getProperty(self.request, PROP.SITE_SETUP) == True):
return HTTPFound(location=self.request.route_path("welcome"))
elif (PROP.getProperty(self.request, PROP.VERSION) == None):
return HTTPFound(location=self.request.route_path("setup_stageone"))
# Check if the password has already been changed, default is 'password'
admin_usr = self.request.root.users["admin"]
test_password = salt_password("password", admin_usr.password_salt)
if test_password != admin_usr.password:
self.request.session.flash("It looks like someone has already changed the default password on the account, if this wasn't you then contact support!", "info")
return HTTPFound(location=self.request.route_path("setup_stagethree"))
# Get password for admin user and double check
if "password_one" in self.request.POST and "password_two" in self.request.POST:
pwd_1 = self.request.POST["password_one"]
pwd_2 = self.request.POST["password_two"]
if len(pwd_1) < 5:
self.request.session.flash("The passwords entered are too short, they must be of 5 characters or longer.", "error")
return {}
elif pwd_1 != pwd_2:
self.request.session.flash("The passwords entered do not match.", "error")
return {}
# Set the administrator password
admin_usr.password_salt = Coding().generateUniqueCode()
admin_usr.password = salt_password(pwd_1, admin_usr.password_salt)
return HTTPFound(location=self.request.route_path("setup_stagethree"))
return {}
def login_view(self):
# Allow the username field to be pre-entered
prep_user = ""
if "user" in self.request.GET:
prep_user = self.request.GET["user"]
# Deal with an actual login
if 'submit' in self.request.POST:
try:
username = self.request.POST["username"].lower()
password = self.request.POST["password"]
user_key = [
x for x in self.context.users
if self.context.users[x].username == username
][0]
user = self.context.users[user_key]
# Check group
if not "admin" in user.__parent__.privileges and not "committee" in user.__parent__.privileges:
return {"error": "validation_error", "prep_user": username}
# Check credentials
elif username == user.username and user.password == salt_password(
password, user.password_salt):
self.request.session["user_id"] = user.__name__
header = remember(self.request, str(user.__name__))
return HTTPFound(
location=self.request.route_path("admin_summary"),
headers=header)
else:
return {"error": "validation_error", "prep_user": username}
except Exception:
return {"error": "validation_error", "prep_user": ""}
return {"prep_user": prep_user}
def set_password_view(self):
# Check agreements
if not self.user.purchase_agreement:
return HTTPFound(location=self.request.route_path("purchase_agreement_act"))
elif not self.user.privacy_agreement:
return HTTPFound(location=self.request.route_path("privacy_policy_act"))
# Check this user is allowed to set/change a password
if self.user.profile == None:
self.request.session.flash("You are not able to change your password as you haven't yet set up your profile", "error")
return HTTPFound(location=self.request.route_path("user_profile"))
elif self.user.profile.raven_user:
self.request.session.flash("You are not able to set a password as you are authenticated via Raven. Please change your password with the Raven service.", "error")
return HTTPFound(location=self.request.route_path("user_profile"))
# Ok all good, deal with any posted data
if "submit" in self.request.POST:
password_one = self.request.POST["password_one"]
password_two = self.request.POST["password_two"]
if password_one != password_two:
self.request.session.flash("You have not entered the same password twice, please try again.", "error")
return {}
elif len(password_one) < 6:
self.request.session.flash("For security reasons you must enter a password of 6 letters or more.", "error")
return {}
# Generate a new salt, salt the password and store it
self.user.password_salt = Coding().generateUniqueCode(withdash=False)
self.user.password = salt_password(password_one, self.user.password_salt)
self.request.session.flash("Your password has been successfully changed.", "info")
return HTTPFound(location=self.request.route_path("user_profile"))
# Otherwise just pass to renderer
return {}
def user_password_view(self):
if not "user_id" in self.request.matchdict and not self.request.matchdict["user_id"] in self.request.root.users:
self.request.session.flash("Requested user does not exist!", "error")
return HTTPFound(location=self.request.route_path("admin_accounts"))
user = self.request.root.users[self.request.matchdict["user_id"]]
# Check actually allowed to change password
if user.profile != None and user.profile.raven_user:
self.request.session.flash("This user is authenticated via Raven and therefore does not have a password stored in the system.", "error")
return HTTPFound(location=self.request.route_path("admin_accounts"))
# Act on data being passed from view
if "submit" in self.request.POST:
password_one = self.request.POST["password_one"]
password_two = self.request.POST["password_two"]
if password_one != password_two:
self.request.session.flash("You have not entered the same password twice, please try again.", "error")
return {
"user": user
}
elif len(password_one) < 6:
self.request.session.flash("For security reasons you must enter a password of 6 letters or more.", "error")
return {
"user": user
}
# Generate a new salt, salt the password and store it
user.password_salt = Coding().generateUniqueCode(withdash=False)
user.password = salt_password(password_one, user.password_salt)
self.request.session.flash("%s's password has been successfully changed." % user.username, "info")
return HTTPFound(location=self.request.route_path("admin_accounts"))
return {
"user": user,
}
def api_login_view_do(self):
# Get username and password
username = self.request.POST["username"].lower()
password = self.request.POST["password"]
# Check if user exists and is non-raven
if not username in self.request.root.users:
self.request.session.flash("Your username or password was incorrect", "error")
return HTTPFound(location=self.request.route_path("api_login"))
user = self.request.root.users[username]
if user.profile != None and user.profile.raven_user:
self.request.session.flash("Your account appears to be a Raven account, please use the Raven login instead.", "error");
return HTTPFound(location=self.request.route_path("api_login"))
# Check password
if user.password != salt_password(password, user.password_salt):
self.request.session.flash("Your username or password was incorrect", "error")
return HTTPFound(location=self.request.route_path("api_login"))
# Ok, this all looks ok - lets go!
header = remember(self.request, user.__name__)
self.request.session["user_id"] = user.__name__
return HTTPFound(location=self.request.route_path('api_token_issue'), headers=header)
def welcome_view_do(self):
if not self.has_queued:
return HTTPFound(location=self.request.route_path("queue"))
# Get username and password
username = self.request.POST["username"].lower()
password = self.request.POST["password"]
# Check if user exists and is non-raven
if not username in self.request.root.users:
self.request.session.flash(
"Your username or password was incorrect", "error")
return HTTPFound(location=self.request.route_path("welcome"))
user = self.request.root.users[username]
if user.profile != None and user.profile.raven_user:
self.request.session.flash(
"Your account appears to be a Raven account, please use the Raven login instead.",
"error")
return HTTPFound(location=self.request.route_path("welcome"))
# Check password
if user.password != salt_password(password, user.password_salt):
self.request.session.flash(
"Your username or password was incorrect", "error")
return HTTPFound(location=self.request.route_path("welcome"))
# Ok, this all looks ok - lets go!
header = remember(self.request, user.__name__)
self.request.session["user_id"] = user.__name__
if user.profile == None:
profile = UserProfile()
profile.raven_user = False
profile.__parent__ = user
profile.__name__ = user.__name__ + "-profile"
user.profile = profile
return HTTPFound(
location=self.request.route_path('user_profile_edit'),
headers=header)
elif None in [user.profile.dob, user.profile.fullname]:
return HTTPFound(
location=self.request.route_path('user_profile_edit'),
headers=header)
else:
return HTTPFound(location=self.request.route_path('user_profile'),
headers=header)
def signup_view(self):
if not self.public_signup_enabled:
self.request.session.flash(
"Public sign-ups are not currently enabled!", "error")
return HTTPFound(location=self.request.route_path('welcome'))
# If form data submitted
if "submit" in self.request.POST:
email = (self.request.POST["email"] if "email" in self.request.POST
and len(self.request.POST["email"]) > 0 else None)
username = (self.request.POST["username"]
if "username" in self.request.POST
and len(self.request.POST["username"]) > 0 else None)
pwd_one = (self.request.POST["password"]
if "password" in self.request.POST
and len(self.request.POST["password"]) > 0 else None)
pwd_two = (self.request.POST["confirm_password"]
if "confirm_password" in self.request.POST
and len(self.request.POST["confirm_password"]) > 0 else
None)
discount_code = (self.request.POST["discount_code"]
if "discount_code" in self.request.POST
and len(self.request.POST["discount_code"]) > 0
else None)
# Check if all fields filled
if email == None or username == None or pwd_one == None or pwd_two == None:
self.request.session.flash(
"One or more fields was not filled, please try again.",
"error")
return {
"email": email,
"username": username,
"discount_code": discount_code
}
# Now run additional checks
validator = Email()
if not validator(email):
self.request.session.flash(
"Please enter a valid email address.", "error")
return {
"email": email,
"username": username,
"discount_code": discount_code
}
# Username checks
username = username.lower()
if len(username) < 3 or " " in username:
self.request.session.flash(
"Please enter a valid username of more than 3 characters and containing no spaces.",
"error")
return {
"email": email,
"username": username,
"discount_code": discount_code
}
if username in self.request.root.users or (re.match(
r"^[a-zA-Z]+[0-9]+$", username) != None):
self.request.session.flash(
"A user already exists with the username you specified, please try again.",
"error")
return {
"email": email,
"username": username,
"discount_code": discount_code
}
# Password checks
if pwd_one != pwd_two:
self.request.session.flash(
"Your passwords do not appear to match, please try again.",
"error")
return {
"email": email,
"username": username,
"discount_code": discount_code
}
if len(pwd_one) < 5 or (re.match(r"(?=.{6,}).*", pwd_one) == None):
self.request.session.flash(
"Your password is too short or not complex enough, please enter a stronger password.",
"error")
return {
"email": email,
"username": username,
"discount_code": discount_code
}
# Passed all checks - create an account...
group = self.request.root.groups['ungrouped']
# - See if we can find a discount group
if discount_code != None:
found_discount = False
for group_key in self.request.root.groups:
test_group = self.request.root.groups[group_key]
if test_group.access_code != None and len(
test_group.access_code
) > 0 and test_group.access_code == discount_code:
group = test_group
found_discount = True
break
if not found_discount:
self.request.session.flash(
"The discount code entered is not valid, please check it and try again.",
"error")
return {
"email": email,
"username": username,
"discount_code": discount_code
}
# - Now setup user
user = User()
user.username = user.__name__ = username
user.password_salt = Coding().generateUniqueCode()
user.password = salt_password(pwd_one, user.password_salt)
user.profile = UserProfile()
user.profile.__parent__ = user
user.profile.raven_user = False
user.profile.email = email
user.__parent__ = group
group.members.append(user)
self.request.root.users[user.__name__] = user
# ...send an email telling them about their new account...
emailer = GenericEmail(self.request)
emailer.compose_and_send(
"Account Created",
"""Thank you for creating an account on our ticketing system, this email is just to remind you that your username is %s. No further action is required."""
% (user.username), user.__name__)
# ...and finally login
header = remember(self.request, user.__name__)
self.request.session["user_id"] = user.__name__
return HTTPFound(
location=self.request.route_path('user_profile_edit'),
headers=header)
return {"email": None, "username": None, "discount_code": None}
def db_setup_accounts(self, root):
# Groups & users
root.groups = PersistentMapping()
root.users = PersistentMapping()
# admin
admin = Group()
admin.__name__ = "admin"
admin.__parent__ = root
admin.can_delete = False
admin.name = "Administrators"
admin.privileges = ["admin"]
admin.can_delete = False
admin._p_changed = True
root.groups[admin.__name__] = admin
# committee
committee = Group()
committee.__name__ = "committee"
committee.__parent__ = root
committee.name = "Committee Members"
committee.privileges = ["committee"]
committee.can_delete = False
committee._p_changed = True
root.groups[committee.__name__] = committee
# Raven authentications
raven_grp = Group()
raven_grp.__name__ = "raven"
raven_grp.__parent__ = root
raven_grp.name = "Customers (Raven)"
raven_grp.privileges = ["basic"]
raven_grp.can_delete = False
raven_grp._p_changed = True
root.groups[raven_grp.__name__] = raven_grp
# Alumnus Raven authentications
alumni_raven_grp = Group()
alumni_raven_grp.__name__ = "raven_alumni"
alumni_raven_grp.__parent__ = root
alumni_raven_grp.name = "Customers (Alumni via Raven)"
alumni_raven_grp.privileges = ["basic"]
alumni_raven_grp.can_delete = False
alumni_raven_grp._p_changed = True
root.groups[alumni_raven_grp.__name__] = alumni_raven_grp
# Alumnus authentications
alumni_grp = Group()
alumni_grp.__name__ = "alumni"
alumni_grp.__parent__ = root
alumni_grp.name = "Customers (Alumni)"
alumni_grp.privileges = ["basic"]
alumni_grp.can_delete = False
alumni_grp._p_changed = True
root.groups[alumni_grp.__name__] = alumni_grp
# Ungrouped
ungrouped = Group()
ungrouped.__name__ = "ungrouped"
ungrouped.__parent__ = root
ungrouped.name = "Ungrouped"
ungrouped.privileges = ["basic"]
ungrouped.can_delete = False
ungrouped._p_changed = True
root.groups[ungrouped.__name__] = ungrouped
# Setup an admin user
admin_usr = User()
admin_usr.username = "******"
admin_usr.password_salt = Coding().generateUniqueCode()
admin_usr.password = salt_password("password", admin_usr.password_salt)
admin_usr.__name__ = admin_usr.username
admin_usr.__parent__ = admin
root.users[admin_usr.__name__] = admin_usr
admin.members.append(admin_usr)
admin.members._p_changed = True
admin_usr.privacy_agreement = True
admin_usr.purchase_agreement = True
admin_prof = UserProfile()
admin_usr.profile = admin_prof
admin_prof.__parent__ = admin_usr
admin_prof.title = "Admin"
admin_prof.forename = "Super"
admin_prof.surname = "Administrator"
admin_prof.email = "*****@*****.**"
admin_prof.dob = datetime(year=1990, month=1, day=1)
admin_prof.photo_file = "blank.png"
admin_prof.address = PostalAddress()
admin_prof.address.__parent__ = admin_prof
admin_prof.address.line_one = "Admin Address"
admin_prof.address.line_two = "Admin Address"
admin_prof.address.city = "Cambridge"
admin_prof.address.county = "Cambridgeshire"
admin_prof.address.country = "United Kingdom"
admin_prof.address.postal_code = "CB1 1AA"
admin_prof.phone_number = "01234 567890"
def user_add_view(self):
if "submit" in self.request.POST:
username = self.request.POST["username"].lower().replace(" ","")
password = self.request.POST["password"]
userprefix = self.request.POST["userprefix"].lower().replace(" ","")
numberusers = int(float(self.request.POST["numberusers"]))
startingpoint = int(float(self.request.POST["startingnumber"]))
group_key = self.request.POST["group"]
single = (self.request.POST["singleuser"] == "single")
# Check username not already in use
error = True
if single:
if username in self.request.root.users:
self.request.session.flash("A user with this username already exists.", "error")
elif group_key not in self.request.root.groups:
self.request.session.flash("The group selected is invalid, please try again.", "error")
elif len(password) < 6:
self.request.session.flash("The password you entered is too short, please enter a longer one.", "error")
elif len(username) < 3:
self.request.session.flash("Please enter a username longer than 2 letters.", "error")
else:
error = False
# Otherwise we're good, create user
group = self.request.root.groups[group_key]
user = User()
user.username = user.__name__ = username
user.password_salt = Coding().generateUniqueCode()
user.password = salt_password(password, user.password_salt)
user.__parent__ = group
group.members.append(user)
self.request.root.users[user.__name__] = user
self.request.session.flash("User %s has been added successfully!" % username, "info")
return HTTPFound(location=self.request.route_path("admin_accounts"))
else:
if len(userprefix) < 2:
self.request.session.flash("Please enter a prefix of 2 or more characters.", "error")
elif numberusers <= 1:
self.request.session.flash("Please enter a number of users greater than 1.", "error")
elif startingpoint < 0:
self.request.session.flash("Please enter a starting point number greater than or equal to 0.", "error")
elif group_key not in self.request.root.groups:
self.request.session.flash("The group selected is invalid, please try again.", "error")
else:
error = False
creds = {}
coding = Coding()
group = self.request.root.groups[group_key]
# Otherwise we're good, create lots of users and passwords
for i in range(numberusers):
password = coding.genRandomString(size=6).lower()
username = ("%s%i%s" % (userprefix, (i + startingpoint), coding.genRandomString(size=2))).lower()
creds[username] = password
# Create the user
newuser = User()
newuser.username = newuser.__name__ = username
newuser.password_salt = coding.generateUniqueCode()
newuser.password = salt_password(password, newuser.password_salt)
newuser.__parent__ = group
group.members.append(newuser)
self.request.root.users[newuser.__name__] = newuser
# Confirm a success
self.request.session.flash("Successfully added %i users to %s!" % (numberusers, group.name), "info")
# - Forward to showing the full list of users that were added
self.request.session["added_users"] = creds
return HTTPFound(location=self.request.route_path("admin_user_add_list"))
# Respond to a thrown error
if error:
return {
"groups": sorted(self.request.root.groups.values(), key=lambda x: x.name),
"username": username, "selgroup": group_key, "single": single,
"userprefix": userprefix, "numberusers": numberusers, "startingnumber": startingpoint,
}
return {
"groups": sorted(self.request.root.groups.values(), key=lambda x: x.name),
"username": None, "selgroup": None, "single": True,
"userprefix": None, "numberusers": 0, "startingnumber": 0,
}