def user_modify(username):
""" Change details about the current user """
# only accept form data
if request.method != 'POST':
return redirect(url_for('.profile'))
# security check
if session['username'] != username:
return error_permission_denied('Unable to modify a different user')
if session['is_locked']:
return error_permission_denied('Unable to change user as account locked')
# check we got enough data
if not 'password_new' in request.form:
return error_permission_denied('Unable to change user as no data')
if not 'password_old' in request.form:
return error_permission_denied('Unable to change user as no data')
if not 'name' in request.form:
return error_permission_denied('Unable to change user as no data')
if not 'email' in request.form:
return error_permission_denied('Unable to change user as no data')
db = LvfsDatabase(os.environ)
db_users = LvfsDatabaseUsers(db)
try:
auth = db_users.verify(session['username'], request.form['password_old'])
except CursorError as e:
return error_internal(str(e))
if not auth:
return error_internal('Incorrect existing password')
# check password
password = request.form['password_new']
if not _password_check(password):
return redirect(url_for('.profile')), 400
# check email
email = request.form['email']
if not _email_check(email):
return redirect(url_for('.profile'))
# check pubkey
pubkey = ''
if 'pubkey' in request.form:
pubkey = request.form['pubkey']
if pubkey:
if len(pubkey) > 0:
if not pubkey.startswith("-----BEGIN PGP PUBLIC KEY BLOCK-----"):
flash('Invalid GPG public key')
return redirect(url_for('.profile')), 400
# verify name
name = request.form['name']
if len(name) < 3:
flash('Name invalid')
return redirect(url_for('.profile')), 400
try:
db_users.update(session['username'], password, name, email, pubkey)
except CursorError as e:
return error_internal(str(e))
#session['password'] = _password_hash(password)
_event_log('Changed password')
flash('Updated profile')
return redirect(url_for('.profile'))
