def settings_page():
settings = forms.SettingsForm()
settings.about.data = current_user.about
if settings.is_submitted():
about = settings.about.data
current_user.edit_settings(about)
error = None
password_form = forms.ChangePasswordForm()
if password_form.is_submitted():
password = u.hash_password(password_form.password.data)
new_password = password_form.new_password.data
confirmation = password_form.confirmation.data
if password != current_user.hashed_password:
error = "Введен неверный пароль"
if new_password != confirmation:
error = "Пароль не совпадают"
if len(new_password) < 5:
error = "Новый пароль слишком короткий"
if error is None:
current_user.change_password(new_password)
return flask.render_template("pages/profile/settings.html",
user=current_user,
settings=settings,
password_form=password_form,
error=error)
def validate(self):
self.user = None
rv = BaseForm.validate(self)
if not rv:
return False
def fail():
self.password.errors.append('Invalid username or password.')
return False
user = User.query.filter(User.name == self.username.data).first()
if not user:
compare_digest(dummy_password, hash_password(self.password.data, 'the cake is a lie!'))
return fail()
if not compare_digest(user.password, hash_password(self.password.data, user.salt)):
return fail()
if not user.active:
self.username.errors.append('Account is disabled.')
return False
self.user = user
return True
def wrapper(db, *args, **kwargs):
user = User()
user.active = active
user.name = username
user.password = password if password else username
user.role = role
user.email = email if email else '{}@cyber.cyber'.format(username)
user.salt = salt if salt else random_string()
user.password = hash_password(user.password, user.salt)
db.session.add(user)
db.session.commit()
func(db=db, *args, **kwargs)
def validate(self):
self.user = None
rv = BaseForm.validate(self)
if not rv:
return False
def fail():
self.password.errors.append(ERROR_INVALID_USERNAME_PASSWORD)
return False
user = User.query.filter(User.name == self.username.data).first()
if not user:
compare_digest(
dummy_password,
hash_password(self.password.data, 'the cake is a lie!'))
return fail()
if not compare_digest(user.password,
hash_password(self.password.data, user.salt)):
return fail()
if not user.active:
self.username.errors.append(ERROR_ACCOUNT_DISABLED)
return False
self.user = user
return True
def edit_user(username):
own_user = username == current_user.name
if not current_user.role.is_administrator and not own_user:
forbidden()
user = User.query.filter_by(name=username).first()
if not user:
return not_found()
form = UserForm(edit=True)
if not form.is_submitted():
form.username.data = user.name
form.email.data = user.email
form.role.data = user.role.name
form.active.data = user.active
if not form.validate_on_submit():
return render_template('admin/form/user.html',
title='Edit {}'.format(username),
form=form,
User=User,
random_password=True,
password_length={'min': TRACKER_PASSWORD_LENGTH_MIN,
'max': TRACKER_PASSWORD_LENGTH_MAX})
active_admins = User.query.filter_by(active=True, role=UserRole.administrator).count()
if user.id == current_user.id and 1 == active_admins and not form.active.data:
return forbidden()
user.name = form.username.data
user.email = form.email.data
user.role = UserRole.fromstring(form.role.data)
if form.random_password.data:
form.password.data = random_string()
if 0 != len(form.password.data):
user.salt = random_string()
user.password = hash_password(form.password.data, user.salt)
user.active = form.active.data
user_invalidate(user)
db.session.commit()
flash_password = ''
if form.random_password.data:
flash_password = '******'.format(form.password.data)
flash('Edited user {}{}'.format(user.name, flash_password))
return redirect('/user')
def edit_own_user_profile():
form = UserPasswordForm()
if not form.validate_on_submit():
return render_template('form/profile.html',
title='Edit profile',
form=form,
password_length={
'min': TRACKER_PASSWORD_LENGTH_MIN,
'max': TRACKER_PASSWORD_LENGTH_MAX
})
user = current_user
user.salt = random_string()
user.password = hash_password(form.password.data, user.salt)
db.session.commit()
flash('Profile saved')
return redirect('/')
def validate(self):
rv = BaseForm.validate(self)
if not rv:
return False
if current_user.name in self.password.data:
self.password.errors.append(
'Password must not contain the username.')
return False
if self.password.data != self.password.data:
self.password_repeat.errors.append('Repeated password mismatches.')
return False
if not compare_digest(
current_user.password,
hash_password(self.password_current.data, current_user.salt)):
self.password_current.errors.append('Current password incorrect.')
return False
return True
def validate(self):
rv = BaseForm.validate(self)
if not rv:
return False
if current_user.name in self.password.data:
self.password.errors.append(ERROR_PASSWORD_CONTAINS_USERNAME)
return False
if self.password.data != self.password_repeat.data:
self.password_repeat.errors.append(
ERROR_PASSWORD_REPEAT_MISMATCHES)
return False
if not compare_digest(
current_user.password,
hash_password(self.password_current.data, current_user.salt)):
self.password_current.errors.append(ERROR_PASSWORD_INCORRECT)
return False
return True
def create_user():
form = UserForm()
if not form.validate_on_submit():
return render_template('admin/form/user.html',
title='Create user',
form=form,
User=User,
password_length={'min': TRACKER_PASSWORD_LENGTH_MIN,
'max': TRACKER_PASSWORD_LENGTH_MAX})
password = random_string() if not form.password.data else form.password.data
salt = random_string()
user = db.create(User,
name=form.username.data,
email=form.email.data,
salt=salt,
password=hash_password(password, salt),
role=UserRole.fromstring(form.role.data),
active=form.active.data)
db.session.commit()
flash('Created user {} with password {}'.format(user.name, password))
return redirect('/user')
from .base import BaseForm
from config import TRACKER_PASSWORD_LENGTH_MIN, TRACKER_PASSWORD_LENGTH_MAX
from app.model.user import User
from app.user import hash_password, random_string
from wtforms import StringField, PasswordField, SubmitField
from wtforms.validators import DataRequired, Length
from hmac import compare_digest
ERROR_INVALID_USERNAME_PASSWORD = '******'
ERROR_ACCOUNT_DISABLED = 'Account is disabled.'
dummy_password = hash_password(random_string(), random_string())
class LoginForm(BaseForm):
username = StringField(
u'Username', validators=[DataRequired(),
Length(max=User.NAME_LENGTH)])
password = PasswordField(u'Password',
validators=[
DataRequired(),
Length(min=TRACKER_PASSWORD_LENGTH_MIN,
max=TRACKER_PASSWORD_LENGTH_MAX)
])
login = SubmitField(u'login')
def validate(self):
self.user = None
rv = BaseForm.validate(self)
if not rv:
return False