def route_recover_with_secret(secret):
# check we have the right token
user = db.session.query(User).filter(User.password_recovery == secret).first()
if not user:
flash('No user with that recovery password', 'danger')
return redirect(url_for('main.route_index'), 302)
# user has since been disabled
if user.auth_type == 'disabled':
flash('User has been disabled since the recovery email was sent', 'danger')
return redirect(url_for('main.route_index'), 302)
# user waited too long
if datetime.datetime.utcnow() > user.password_recovery_ts + datetime.timedelta(hours=24):
flash('More than 24 hours elapsed since the recovery email was sent', 'warning')
return redirect(url_for('main.route_index'), 302)
# password is stored hashed
password = _generate_password()
user.password = password
user.password_ts = None
user.password_recovery = None
user.password_recovery_ts = None
user.mtime = datetime.datetime.utcnow()
db.session.commit()
# send email
send_email("[LVFS] Your password has been reset",
user.email_address,
render_template('email-recover-password.txt',
user=user, password=password))
flash('Your password has been reset and an email has been sent with the new details', 'info')
return redirect(url_for('main.route_index'), 302)
def route_reset_by_admin(user_id):
""" Reset the users password """
# check exists
user = db.session.query(User).filter(User.user_id == user_id).first()
if not user:
flash('No user matched!', 'danger')
return redirect(url_for('main.route_dashboard'), 422)
# security check
if not user.vendor.check_acl('@manage-users'):
flash('Permission denied: Unable to modify user as non-admin', 'danger')
return redirect(url_for('main.route_dashboard'))
# password is stored hashed
password = _generate_password()
user.password = password
user.mtime = datetime.datetime.utcnow()
user.password_ts = None
db.session.commit()
# send email
send_email("[LVFS] Your password has been reset",
user.email_address,
render_template('email-modify-password.txt',
user=user, password=password))
flash('Password has been reset and an email has been sent to the user', 'info')
return redirect(url_for('users.route_admin', user_id=user_id))
def route_user_create(vendor_id):
""" Add a user to the vendor """
# check exists
vendor = db.session.query(Vendor).filter(Vendor.vendor_id == vendor_id).first()
if not vendor:
flash('Failed to modify vendor: No a vendor with that group ID', 'warning')
return redirect(url_for('vendors.route_list'), 302)
# security check
if not vendor.check_acl('@manage-users'):
flash('Permission denied: Unable to modify vendor as non-admin', 'danger')
return redirect(url_for('vendors.route_show', vendor_id=vendor_id))
if not 'username' in request.form or not request.form['username']:
flash('Unable to add user as no username', 'danger')
return redirect(url_for('vendors.route_show', vendor_id=vendor_id))
if not 'display_name' in request.form:
flash('Unable to add user as no display_name', 'danger')
return redirect(url_for('vendors.route_show', vendor_id=vendor_id))
username = request.form['username'].lower()
user = db.session.query(User).filter(User.username == username).first()
if user:
flash('Failed to add user: Username already exists', 'warning')
return redirect(url_for('vendors.route_users', vendor_id=vendor_id), 302)
# verify email
if not _email_check(username):
flash('Failed to add user: Invalid email address', 'warning')
return redirect(url_for('users.route_list'), 302)
# verify the username matches the allowed vendor glob
if not g.user.check_acl('@admin'):
if not vendor.username_glob:
flash('Failed to add user: '******'Admin has not set the account policy for this vendor',
'warning')
return redirect(url_for('vendors.route_users', vendor_id=vendor_id), 302)
if not _verify_username_vendor_glob(username, vendor.username_glob):
flash('Failed to add user: '******'Email address does not match account policy %s' % vendor.username_glob,
'warning')
return redirect(url_for('vendors.route_users', vendor_id=vendor_id), 302)
# add user
if g.user.vendor.oauth_domain_glob:
user = User(username=username,
display_name=request.form['display_name'],
auth_type='oauth',
vendor_id=vendor.vendor_id)
else:
user = User(username=username,
display_name=request.form['display_name'],
auth_type='local',
otp_secret=_otp_hash(),
vendor_id=vendor.vendor_id)
# this is stored hashed
password = _generate_password()
user.password = password
db.session.add(user)
db.session.commit()
# send email
if user.auth_type == 'local':
send_email("[LVFS] An account has been created",
user.email_address,
render_template('email-confirm.txt',
user=user, password=password))
# done!
flash('Added user %i' % user.user_id, 'info')
return redirect(url_for('vendors.route_users', vendor_id=vendor_id), 302)
