def createResetSession():
isResetEnabled = os.environ.get("EMAIL_RESET_ENABLED")
if not isResetEnabled.lower() == "true":
return "ERR_SERVICE_DISABLED", 500
dbconn = database()
dbconn.execute(
"SELECT COUNT(*) AS num, id, email, firstname FROM people WHERE username = %s",
(request.form.get("username"), ))
result = dbconn.fetchone()
if not result["num"] == 1:
return "ERR_USER_NOT_FOUND", 500
pCheck = permissionCheck()
permissions = pCheck.get(request.form.get("username"))
if "emailrst" not in permissions:
return "ERR_NOT_ALLOWED", 500
if not request.form.get("password1") == request.form.get("password2"):
return "ERR_PASSWORDS_DIFFERENT", 500
if result["email"] == "" or result["email"] is None:
return "ERR_NO_EMAIL", 500
dbconn.execute(
"SELECT COUNT(*) AS num, time FROM mailreset WHERE people_id = %s",
(result["id"], ))
oldTokens = dbconn.fetchone()
if oldTokens["num"] > 0:
earliestCreation = datetime.datetime.now() - datetime.timedelta(days=1)
if oldTokens["time"] >= earliestCreation:
return "ERR_OPEN_RESET_REQUEST", 500
else:
dbconn.execute("DELETE FROM mailreset WHERE people_id = %s",
(result["id"], ))
if not dbconn.commit():
return "ERR_DATABASE_ERROR", 500
token = es.randomString(128)
dbconn.execute(
"INSERT INTO mailreset (time, token, people_id, unix_hash, smb_hash) VALUES (NOW(), %s, %s, %s, %s)",
(token, result["id"], hash.unix(request.form.get("password1")),
hash.samba(request.form.get("password1"))))
if not dbconn.commit():
return "ERR_DATABASE_ERROR", 500
mailstatus = email.sendResetEmail(result["email"], token,
result["firstname"])
if mailstatus == -1:
return "ERR_SMTP_CONNECTION_REFUSED", 500
elif mailstatus == -2:
return "ERR_SMTP_CREDENTIALS_ERROR", 500
elif mailstatus <= -3:
return "ERR_OTHER_SMTP_ERROR", 500
return "SUCCESS", 200
def newPassword(id):
if not es.isAuthorized("usermgmt"):
return "ERR_ACCESS_DENIED", 403
dbconn = db.database()
lu = ldap.users()
dbconn.execute(
"SELECT unix_hash FROM userpassword UP INNER JOIN people P ON UP.people_id = P.id WHERE P.id = %s",
(id, ))
result = dbconn.fetchone()
if not passlib.hash.ldap_salted_sha1.verify(request.form.get("old"),
result["unix_hash"]):
return "ERR_AUTH_PASSWORD", 500
if not request.form.get("new1") == request.form.get("new2"):
return "ERR_PASSWORDS_DIFFERENT", 500
dbconn.execute(
"UPDATE userpassword SET unix_hash = %s, smb_hash = %s, hint = %s, autogen = 0, cleartext = NULL WHERE people_id = %s",
(hash.unix(request.form.get("new1")),
hash.samba(request.form.get("new1")), request.form.get("pwhint"), id))
if not dbconn.commit():
return "ERR_DATABASE_ERROR", 500
if not lu.update(id) == 0:
return "ERR_LDAP_ERROR", 500
return "SUCCESS", 200
def resetPassword(id):
gMember = groupMembership()
if not gMember.checkGroupMembership(current_user.username, "teachers"):
return "ERR_NOT_ALLOWED", 403
dbconn = database()
pCheck = permissionCheck()
permissions = pCheck.getForId(id)
if "pwalwrst" not in permissions:
return "ERR_NOT_ALLOWED", 403
dbconn.execute("SELECT id FROM people WHERE username = %s", (current_user.username,))
teacherResult = dbconn.fetchone()
dbconn.execute("SELECT unix_hash FROM userpassword WHERE people_id = %s", (teacherResult["id"],))
teacherPasswordResult = dbconn.fetchone()
if not passlib.hash.ldap_salted_sha1.verify(request.form.get("passwd"), teacherPasswordResult["unix_hash"]):
return "ERR_ACCESS_DENIED", 401
if not request.form.get("password1") == request.form.get("password2"):
return "ERR_PASSWORDS_DIFFERENT", 500
dbconn.execute("UPDATE userpassword SET unix_hash = %s, smb_hash = %s, hint = %s, autogen = 0, cleartext = NULL WHERE people_id = %s", (hash.unix(request.form.get("password1")), hash.samba(request.form.get("password1")), request.form.get("hint"), id))
if not dbconn.commit():
return "ERR_DATABASE_ERROR", 500
ldap = requests.post(url="http://pc_admin/api/public/usercheck/" + id)
if not ldap.text == "SUCCESS":
return "ERR_LDAP_ERROR", 500
return "SUCCESS", 200
def createUser():
if not es.isAuthorized("usermgmt"):
return "ERR_ACCESS_DENIED", 403
dir = directory.directory()
if dir.exists(request.form.get("username"), "users"):
return "ERR_FOLDER_EXISTS", 500
dbconn = db.database()
lu = ldap.users()
lg = ldap.groups()
id = idsrv.getNew()
if not request.form.get("password") == request.form.get("password2"):
return "ERR_PASSWORDS_DIFFERENT", 500
try:
short = request.form.get("short") if not request.form.get(
"short") == "" and not request.form.get(
"short").lower() == "null" else None
except AttributeError:
short = None
persistant = 1 if request.form.get("persistant") else 0
smb_homedir = "/home/users/" + request.form.get("username")
sex = request.form.get("sex") if isinstance(request.form.get("sex"),
int) else 0
dbconn.execute(
"INSERT INTO people (id, firstname, lastname, preferredname, sex, title, short, email, birthdate, username, smb_homedir, persistant) VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)",
(id, request.form.get("firstname"), request.form.get("lastname"),
request.form.get("preferredname"), sex, request.form.get("title"),
short, request.form.get("email"), request.form.get("birthdate"),
request.form.get("username"), smb_homedir, persistant))
if not dbconn.commit():
return "ERR_DATABASE_ERROR", 500
if not request.form.get("cleartext") is None:
dbconn.execute(
"INSERT INTO userpassword (people_id, unix_hash, smb_hash, hint, cleartext, autogen) VALUES (%s, %s, %s, %s, %s, 1)",
(id, hash.unix(request.form.get("password")),
hash.samba(request.form.get("password")),
request.form.get("pwhint"), request.form.get("password")))
if not dbconn.commit():
return "ERR_DATABASE_ERROR", 500
else:
dbconn.execute(
"INSERT INTO userpassword (people_id, unix_hash, smb_hash, hint, autogen) VALUES (%s, %s, %s, %s, 0)",
(id, hash.unix(request.form.get("password")),
hash.samba(
request.form.get("password")), request.form.get("pwhint")))
if not dbconn.commit():
return "ERR_DATABASE_ERROR", 500
failed = False
for group in json.loads(request.form.get("groups")):
dbconn.execute(
"INSERT INTO people_has_groups (people_id, group_id) VALUES (%s, %s)",
(id, group))
if not dbconn.commit():
failed = True
if not lg.addUser(id, group) == 0:
failed = True
if failed:
return "ERR_DATABASE_ERROR", 500
dircode = dir.create(request.form.get("username"), "users")
if dircode == 0 and dir.setMode(request.form.get("username"), "users",
"511"): # 511 in octal gives 777
if not lu.update(id) == 0:
return "ERR_LDAP_ERROR", 500
dbconn.execute("SELECT unix_userid FROM people WHERE id = %s LIMIT 1",
(id, ))
result = dbconn.fetchone()
if not dir.setOwner(request.form.get("username"), "users",
result["unix_userid"]):
return "ERR_DATABASE_ERROR", 500
elif dircode == -1:
return "ERR_FOLDER_PLACE_INVALID", 500
elif dircode == -4:
return "ERR_FOLDER_EXISTS", 500
else:
return "ERR_CREATE_HOMEFOLDER", 500
return "SUCCESS", 201
def updatePassword():
dbconn = database()
dbconn.execute("SELECT id FROM people WHERE username = %s", (current_user.username,))
result = dbconn.fetchone()
if not request.form.get("password1") == request.form.get("password2"):
return "ERR_PASSWORDS_DIFFERENT", 500
dbconn.execute("UPDATE userpassword SET unix_hash = %s, smb_hash = %s, hint = %s, autogen = 0, cleartext = NULL WHERE people_id = %s", (hash.unix(request.form.get("password1")), hash.samba(request.form.get("password1")), request.form.get("hint"), result["id"]))
if not dbconn.commit():
return "ERR_DATABASE_ERROR", 500
ldap = requests.post(url = "http://pc_admin/api/public/usercheck/" + result["id"])
if not ldap.text == "SUCCESS":
return "ERR_LDAP_ERROR", 500
return "SUCCESS", 200
