def reset_user_password(self, id: int, user: UserModel):
"""API endpoint to reset the user's current password, cookies and auth tokens, and to email a password reset link to the user.
.. :quickref: User; Password reset
Reset the user's password, and send them instructions on how to reset the password.
This endpoint is useful from a security standpoint, in case of worries the password might be compromised.
It sets the current password to something random, invalidates cookies and auth tokens,
and also sends an email for resetting the password to the user.
Users can reset their own passwords. Only admins can use this endpoint to reset passwords of other users.
:reqheader Authorization: The authentication token
:reqheader Content-Type: application/json
:resheader Content-Type: application/json
:status 200: PROCESSED
:status 400: INVALID_REQUEST, REQUIRED_INFO_MISSING, UNEXPECTED_PARAMS
:status 401: UNAUTHORIZED
:status 403: INVALID_SENDER
:status 422: UNPROCESSABLE_ENTITY
"""
set_random_password(user)
remove_cookie_and_token_access(user)
send_reset_password_instructions(user)
# commit only if sending instructions worked, as well
db.session.commit()
def reset_password(user_id: int, user: UserModel):
"""
Reset the user's current password, cookies and auth tokens.
Send a password reset link to the user.
"""
set_random_password(user)
remove_cookie_and_token_access(user)
send_reset_password_instructions(user)
# commit only if sending instructions worked, as well
db.session.commit()
def patch(db_user: UserModel, user_data: dict):
"""Update a user given its identifier"""
allowed_fields = [
"email", "username", "active", "timezone", "flexmeasures_roles"
]
for k, v in [(k, v) for k, v in user_data.items() if k in allowed_fields]:
# Don't allow users who edit themselves to edit sensitive fields
if current_user.id == db_user.id and k in ("active",
"flexmeasures_roles"):
return unauthorized_handler(None, [])
setattr(db_user, k, v)
if k == "active" and v is False:
remove_cookie_and_token_access(db_user)
db.session.add(db_user)
try:
db.session.commit()
except IntegrityError as ie:
return dict(message="Duplicate user already exists",
detail=ie._message()), 400
return user_schema.dump(db_user), 200
def patch(self, id: int, user: UserModel, **user_data):
"""API endpoint to patch user data.
.. :quickref: User; Patch data for an existing user
This endpoint sets data for an existing user.
Any subset of user fields can be sent.
Only the user themselves or admins are allowed to update its data,
while a non-admin can only edit a few of their own fields.
The following fields are not allowed to be updated:
- id
- account_id
**Example request**
.. sourcecode:: json
{
"active": false,
}
**Example response**
The following user fields are returned:
.. sourcecode:: json
{
'account_id': 1,
'active': True,
'email': '*****@*****.**',
'flexmeasures_roles': [1, 3],
'id': 1,
'timezone': 'Europe/Amsterdam',
'username': '******'
}
:reqheader Authorization: The authentication token
:reqheader Content-Type: application/json
:resheader Content-Type: application/json
:status 200: UPDATED
:status 400: INVALID_REQUEST, REQUIRED_INFO_MISSING, UNEXPECTED_PARAMS
:status 401: UNAUTHORIZED
:status 403: INVALID_SENDER
:status 422: UNPROCESSABLE_ENTITY
"""
allowed_fields = [
"email",
"username",
"active",
"timezone",
"flexmeasures_roles",
]
for k, v in [(k, v) for k, v in user_data.items()
if k in allowed_fields]:
if current_user.id == user.id and k in ("active",
"flexmeasures_roles"):
raise Forbidden(
"Users who edit themselves cannot edit security-sensitive fields."
)
setattr(user, k, v)
if k == "active" and v is False:
remove_cookie_and_token_access(user)
db.session.add(user)
try:
db.session.commit()
except IntegrityError as ie:
return (
dict(message="Duplicate user already exists",
detail=ie._message()),
400,
)
return user_schema.dump(user), 200