Exemplo n.º 1
0
def change_password(request):
    try:
        doc = request.json_body
    except:
        raise APIError(400, "invalid_json", "no valid json body")

    email = doc.get("email")
    old_password = doc.get("old_password")
    new_password = doc.get("new_password")

    if not email or not old_password or not new_password:
        raise APIError(
            400,
            "change_password.email_and_old_password_and_new_password_required",
            "You need to send your email, the old password and a new password."
        )

    user = DBSession.query(AuthUser).filter_by(email=email).first()

    if not user or not user.verify_password(old_password):
        raise APIError(
            401, "change_password.email_or_old_password_invalid",
            "Either the email address or the old password is wrong.")

    if not user.active:
        raise APIError(400, "user_is_not_activated",
                       "Your user is not activated.")

    if new_password == old_password:
        raise APIError(400, "change_password.may_not_be_the_same",
                       "The new password may not be the same as the old one.")

    if not AuthUser.check_password_strength(new_password):
        raise APIError(
            400, "change_password.invalid_new_password",
            "The new password is too weak. Minimum length is 8 characters.")

    user.password = new_password
    user.force_password_change = False
    DBSession.add(user)

    token = AuthToken.generate_token()
    tokenObj = AuthToken(auth_user_id=user.id, token=token)
    DBSession.add(tokenObj)

    DBSession.flush()

    return {
        "token": token,
        "subject": Subject.full_output(user.subject_id),
    }
Exemplo n.º 2
0
def auth_login(request):
    try:
        doc = request.json_body
    except:
        raise APIError(400, "invalid_json", "no valid json body")

    user = request.user
    email = doc.get("email")
    password = doc.get("password")

    if user:
        #already logged in
        token = user.get_or_create_token().token
    else:
        if not email or not password:
            raise APIError(400, "login.email_and_password_required",
                           "You need to send your email and password.")

        user = DBSession.query(AuthUser).filter_by(email=email).first()

        if not user or not user.verify_password(password):
            raise APIError(
                401, "login.email_or_password_invalid",
                "Either the email address or the password is wrong.")

        if not user.active:
            raise APIError(400, "user_is_not_activated",
                           "Your user is not activated.")

        if user.force_password_change:
            raise APIError(400, "user_has_to_change_password",
                           "You have to change your password.")

        token = AuthToken.generate_token()
        tokenObj = AuthToken(auth_user_id=user.id, token=token)

        DBSession.add(tokenObj)

    return {
        "token": token,
        "subject": Subject.full_output(user.subject_id),
    }
Exemplo n.º 3
0
def add_or_update_subject(request):
    """add a subject and set its metadata"""

    subject_id = int(request.matchdict["subject_id"])

    if asbool(get_settings().get("enable_user_authentication", False)):
        #ensure that the subject exists and we have the permission to update it
        may_update = request.has_perm(
            perm_global_manage_subjects
        ) or request.has_perm(
            perm_own_update_subject_infos) and request.subject.id == subject_id
        if not may_update:
            raise APIError(403, "forbidden", "You may not edit this subject.")

        #if not exists_by_expr(t_subjects,t_subjects.c.id==subject_id):
        #    raise APIError(403, "forbidden", "The subject does not exist. As the user authentication is enabled, you need to create the AuthUser first.")

    lat = None
    if len(request.POST.get("lat", "")) > 0:
        lat = float(request.POST["lat"])

    lon = None
    if len(request.POST.get("lon", "")) > 0:
        lon = float(request.POST["lon"])

    friends = []
    if len(request.POST.get("friends", "")) > 0:
        friends = [int(x) for x in request.POST["friends"].split(",")]

    groups = []
    if len(request.POST.get("groups", "")) > 0:
        groups = [int(x) for x in request.POST["groups"].split(",")]

    timezone = "UTC"
    if len(request.POST.get("timezone", "")) > 0:
        timezone = request.POST["timezone"]

    if not valid_timezone(timezone):
        timezone = 'UTC'

    language = None
    if len(request.POST.get("language", "")) > 0:
        language = request.POST["language"]

    additional_public_data = {}
    if len(request.POST.get("additional_public_data", "")) > 0:
        try:
            additional_public_data = json.loads(
                request.POST["additional_public_data"])
        except:
            additional_public_data = {}

    Subject.set_infos(subject_id=subject_id,
                      lat=lat,
                      lng=lon,
                      timezone=timezone,
                      language_id=language,
                      additional_public_data=additional_public_data)

    Subject.set_relations(subject_id=subject_id, relation_ids=friends)
    Subject.set_parent_subjects(subject_id=subject_id,
                                parent_subject_ids=groups)

    return {"status": "OK", "subject": Subject.full_output(subject_id)}