def reset_email(userid, secret): logout_internal() user = User.query.filter_by(userid=userid).first() if not user: abort(404) resetreq = PasswordResetRequest.query.filter_by(user=user, reset_code=secret).first() if not resetreq: return render_message(title="Invalid reset link", message=Markup("The reset link you clicked on is invalid.")) if resetreq.created_at < datetime.utcnow() - timedelta(days=1): # Reset code has expired (> 24 hours). Delete it db.session.delete(resetreq) db.session.commit() return render_message(title="Expired reset link", message=Markup("The reset link you clicked on has expired.")) # Reset code is valid. Now ask user to choose a new password form = PasswordResetForm() if form.validate_on_submit(): user.password = form.password.data db.session.delete(resetreq) db.session.commit() return render_message(title="Password reset complete", message=Markup( 'Your password has been reset. You may now <a href="%s">login</a> with your new password.' % escape(url_for('login')))) return render_form(form=form, title="Reset password", formid='reset', submit="Reset password", message=Markup('Hello, <strong>%s</strong>. You may now choose a new password.' % user.fullname), ajax=True)
def client_edit(key): client = Client.query.filter_by(key=key).first_or_404() if not client.owner_is(g.user): abort(403) form = RegisterClientForm(obj=client) form.edit_obj = client form.client_owner.choices = available_client_owners() if request.method == 'GET': if client.user: form.client_owner.data = client.user.userid else: form.client_owner.data = client.org.userid if form.validate_on_submit(): if client.user != form.user or client.org != form.org: # Ownership has changed. Remove existing permission assignments for perm in UserClientPermissions.query.filter_by(client=client).all(): db.session.delete(perm) for perm in TeamClientPermissions.query.filter_by(client=client).all(): db.session.delete(perm) flash("This application’s owner has changed, so all previously assigned permissions " "have been revoked", "warning") form.populate_obj(client) client.user = form.user client.org = form.org db.session.commit() return render_redirect(url_for('client_info', key=client.key), code=303) return render_form(form=form, title="Edit application", formid="client_edit", submit="Save changes", ajax=True)
def resource_action_edit(key, idr, ida): client = Client.query.filter_by(key=key).first() if not client: abort(404) if client.user != g.user: abort(403) resource = Resource.query.get(idr) if not resource: abort(404) action = ResourceAction.query.get(ida) if not action: abort(404) form = ResourceActionForm() form.edit_id = None form.edit_resource = resource if request.method == 'GET': form.name.data = action.name form.title.data = action.title form.description.data = action.description if form.validate_on_submit(): form.populate_obj(action) db.session.commit() flash("Your action has been edited", "info") return render_redirect(url_for('client_info', key=key), code=303) return render_form(form=form, title="Edit action", formid="action_edit", submit="Save changes", ajax=True)
def add_email(): form = NewEmailAddressForm() if form.validate_on_submit(): useremail = UserEmailClaim(user=g.user, email=form.email.data) db.session.add(useremail) db.session.commit() send_email_verify_link(useremail) flash("We sent you an email to confirm your address.", "info") return render_redirect(url_for("profile"), code=303) return render_form(form=form, title="Add an email address", formid="email_add", submit="Add email", ajax=True)
def add_phone(): form = NewPhoneForm() if form.validate_on_submit(): userphone = UserPhoneClaim(user=g.user, phone=form.phone.data) db.session.add(userphone) send_phone_verify_code(userphone) db.session.commit() flash("We sent a verification code to your phone number.", "info") return render_redirect(url_for("verify_phone", number=userphone.phone), code=303) return render_form(form=form, title="Add a phone number", formid="phone_add", submit="Add phone", ajax=True)
def org_edit(name): org = Organization.query.filter_by(name=name).first_or_404() if g.user not in org.owners.users: abort(403) form = OrganizationForm(obj=org) form.edit_obj = org if form.validate_on_submit(): form.populate_obj(org) db.session.commit() return render_redirect(url_for('org_info', name=org.name), code=303) return render_form(form=form, title="New Organization", formid="org_edit", submit="Save", ajax=False)
def change_password(): if g.user.pw_hash is None: form = PasswordResetForm() else: form = PasswordChangeForm() if form.validate_on_submit(): g.user.password = form.password.data db.session.commit() flash("Your new password has been saved.", category="info") return render_redirect(url_for("profile"), code=303) return render_form(form=form, title="Change password", formid="changepassword", submit="Change password", ajax=True)
def org_new(): form = OrganizationForm() form.edit_obj = None if form.validate_on_submit(): org = Organization() form.populate_obj(org) org.owners.users.append(g.user) db.session.add(org) db.session.commit() return render_redirect(url_for('org_info', name=org.name), code=303) return render_form(form=form, title="New Organization", formid="org_new", submit="Create", ajax=False)
def team_new(name): org = Organization.query.filter_by(name=name).first_or_404() if g.user not in org.owners.users: abort(403) form = TeamForm() if form.validate_on_submit(): team = Team(org=org) form.populate_obj(team) db.session.add(team) db.session.commit() return render_redirect(url_for('org_info', name=org.name), code=303) return render_form(form=form, title=u"Create new team", formid='team_new', submit="Create", ajax=False)
def team_edit(name, userid): org = Organization.query.filter_by(name=name).first_or_404() if g.user not in org.owners.users: abort(403) team = Team.query.filter_by(org=org, userid=userid).first_or_404() form = TeamForm(obj=team) form.edit_obj = team if form.validate_on_submit(): form.populate_obj(team) db.session.commit() return render_redirect(url_for('org_info', name=org.name), code=303) return render_form(form=form, title=u"Edit team: %s" % team.title, formid='team_edit', submit="Save", ajax=False)
def permission_new(): form = PermissionForm() if form.validate_on_submit(): perm = Permission(user=g.user) form.populate_obj(perm) perm.allusers = False db.session.add(perm) db.session.commit() flash("Your new permission has been defined", "info") return render_redirect(url_for('permission_list'), code=303) return render_form(form=form, title="Define a new permission", formid="perm_new", submit="Define new permission", ajax=True)
def client_new(): form = RegisterClientForm() if form.validate_on_submit(): client = Client() form.populate_obj(client) client.user = g.user client.trusted = False db.session.add(client) db.session.commit() return render_redirect(url_for('client_info', key=client.key), code=303) return render_form(form=form, title="Register a new client application", formid="client_new", submit="Register application", ajax=True)
def profile_edit(): form = ProfileForm(obj=g.user) form.edit_obj = g.user if form.validate_on_submit(): form.populate_obj(g.user) db.session.commit() next_url = get_next_url() if next_url is not None: return render_redirect(next_url) else: flash("Your profile was successfully edited.", category="info") return render_redirect(url_for("profile"), code=303) return render_form(form, title="Edit profile", formid="profile_edit", submit="Save changes", ajax=True)
def resource_new(key): client = Client.query.filter_by(key=key).first_or_404() if not client.owner_is(g.user): abort(403) form = ResourceForm() form.edit_id = None if form.validate_on_submit(): resource = Resource(client=client) form.populate_obj(resource) db.session.add(resource) db.session.commit() flash("Your new resource has been saved", "info") return render_redirect(url_for('client_info', key=key), code=303) return render_form(form=form, title="Define a resource", formid="resource_new", submit="Define resource", ajax=True)
def register(): form = RegisterForm() if form.validate_on_submit(): user = register_internal(None, form.fullname.data, form.password.data) user.username = form.username.data or None useremail = UserEmailClaim(user=user, email=form.email.data) db.session.add(useremail) db.session.commit() send_email_verify_link(useremail) login_internal(user) flash("You are now one of us. Welcome aboard!", category='info') if 'next' in request.args: return redirect(request.args['next'], code=303) else: return redirect(url_for('index'), code=303) return render_form(form=form, title='Register an account', formid='register', submit='Register')
def reset(): # User wants to reset password # Ask for username or email, verify it, and send a reset code form = PasswordResetRequestForm() if form.validate_on_submit(): username = form.username.data user = form.user if "@" in username and not username.startswith("@"): # They provided an email address. Send reset email to that address email = username else: # Send to their existing address # User.email is a UserEmail object email = unicode(user.email) if not email: # They don't have an email address. Maybe they logged in via Twitter # and set a local username and password, but no email. Could happen. return render_message( title="Reset password", message=Markup( """ We do not have an email address for your account and therefore cannot email you a reset link. Please contact <a href="mailto:%s">%s</a> for assistance. """ % (escape(app.config["SITE_SUPPORT_EMAIL"]), escape(app.config["SITE_SUPPORT_EMAIL"])) ), ) resetreq = PasswordResetRequest(user=user) db.session.add(resetreq) send_password_reset_link(email=email, user=user, secret=resetreq.reset_code) db.session.commit() return render_message( title="Reset password", message=Markup( u""" You were sent an email at <code>%s</code> with a link to reset your password. Please check your email. If it doesn’t arrive in a few minutes, it may have landed in your spam or junk folder. The reset link is valid for 24 hours. """ % escape(email) ), ) return render_form(form=form, title="Reset password", submit="Send reset code", ajax=True)
def permission_edit(id): perm = Permission.query.get(id) if not perm: abort(404) form = PermissionForm() form.edit_id = id if request.method == 'GET': form.name.data = perm.name form.title.data = perm.title form.description.data = perm.description if form.validate_on_submit(): form.populate_obj(perm) db.session.commit() flash("Your permission has been saved", "info") return render_redirect(url_for('permission_list'), code=303) return render_form(form=form, title="Edit permission", formid="perm_edit", submit="Save changes", ajax=True)
def permission_new(): form = PermissionForm() form.context.choices = available_client_owners() if request.method == 'GET': form.context.data = g.user.userid if form.validate_on_submit(): perm = Permission() form.populate_obj(perm) perm.user = form.user perm.org = form.org perm.allusers = False db.session.add(perm) db.session.commit() flash("Your new permission has been defined", "info") return render_redirect(url_for('permission_list'), code=303) return render_form(form=form, title="Define a new permission", formid="perm_new", submit="Define new permission", ajax=True)
def register(): form = RegisterForm() if form.validate_on_submit(): user = register_internal(None, form.fullname.data, form.password.data) if form.username.data: user.username = form.username.data useremail = UserEmailClaim(user=user, email=form.email.data) db.session.add(useremail) db.session.commit() send_email_verify_link(useremail) login_internal(user) flash("You are now one of us. Welcome aboard!", category="info") if "next" in request.args: return redirect(request.args["next"], code=303) else: return redirect(url_for("index"), code=303) return render_form(form=form, title="Register an account", formid="register", submit="Register")
def permission_user_new(key): client = Client.query.filter_by(key=key).first() if not client: abort(404) if client.user != g.user: abort(403) available_perms = Permission.query.filter(db.or_(Permission.allusers == True, Permission.user == g.user)).order_by('name').all() form = UserPermissionAssignForm() form.perms.choices = [(ap.name, u"%s – %s" % (ap.name, ap.title)) for ap in available_perms] if form.validate_on_submit(): form.perms.data.sort() perms = u' '.join(form.perms.data) permassign = UserClientPermissions(user=form.user, client=client, permissions=perms) db.session.add(permassign) db.session.commit() flash("Permissions have been assigned to user %s" % form.user.displayname(), "info") return render_redirect(url_for('client_info', key=key), code=303) return render_form(form=form, title="Assign permissions", formid="perm_assign", submit="Assign permissions", ajax=True)
def verify_phone(number): phoneclaim = UserPhoneClaim.query.filter_by(phone=number).first_or_404() if phoneclaim.user != g.user: abort(403) form = VerifyPhoneForm() form.phoneclaim = phoneclaim if form.validate_on_submit(): if not g.user.phones: primary = True else: primary = False userphone = UserPhone(user=g.user, phone=phoneclaim.phone, gets_text=True, primary=primary) db.session.add(userphone) db.session.delete(phoneclaim) db.session.commit() flash("Your phone number has been verified.", "info") return render_redirect(url_for("profile"), code=303) return render_form(form=form, title="Verify phone number", formid="phone_verify", submit="Verify", ajax=True)
def client_new(): form = RegisterClientForm() form.client_owner.choices = available_client_owners() if request.method == 'GET': form.client_owner.data = g.user.userid if form.validate_on_submit(): client = Client() form.populate_obj(client) client.user = form.user client.org = form.org client.trusted = False db.session.add(client) db.session.commit() return render_redirect(url_for('client_info', key=client.key), code=303) return render_form(form=form, title="Register a new client application", formid="client_new", submit="Register application", ajax=True)
def resource_action_new(key, idr): client = Client.query.filter_by(key=key).first_or_404() if not client.owner_is(g.user): abort(403) resource = Resource.query.get_or_404(idr) if resource.client != client: abort(403) form = ResourceActionForm() form.edit_id = None form.edit_resource = resource if form.validate_on_submit(): action = ResourceAction(resource=resource) form.populate_obj(action) db.session.add(action) db.session.commit() flash("Your new action has been saved", "info") return render_redirect(url_for('client_info', key=key), code=303) return render_form(form=form, title="Define an action", formid="action_new", submit="Define action", ajax=True)
def permission_user_new(key): client = Client.query.filter_by(key=key).first_or_404() if not client.owner_is(g.user): abort(403) if client.user: available_perms = Permission.query.filter(db.or_( Permission.allusers == True, Permission.user == g.user)).order_by('name').all() form = UserPermissionAssignForm() elif client.org: available_perms = Permission.query.filter(db.or_( Permission.allusers == True, Permission.org == client.org)).order_by('name').all() form = TeamPermissionAssignForm() form.org = client.org form.team_id.choices = [(team.userid, team.title) for team in client.org.teams] else: abort(403) # This should never happen. Clients always have an owner. form.perms.choices = [(ap.name, u"%s – %s" % (ap.name, ap.title)) for ap in available_perms] if form.validate_on_submit(): perms = set() if client.user: permassign = UserClientPermissions.query.filter_by(user=form.user, client=client).first() if permassign: perms.update(permassign.permissions.split(u' ')) else: permassign = UserClientPermissions(user=form.user, client=client) db.session.add(permassign) else: permassign = TeamClientPermissions.query.filter_by(team=form.team, client=client).first() if permassign: perms.update(permassign.permissions.split(u' ')) else: permassign = TeamClientPermissions(team=form.team, client=client) db.session.add(permassign) perms.update(form.perms.data) permassign.permissions = u' '.join(sorted(perms)) db.session.commit() if client.user: flash("Permissions have been assigned to user %s" % form.user.pickername, "info") else: flash("Permissions have been assigned to team '%s'" % permassign.team.pickername, "info") return render_redirect(url_for('client_info', key=key), code=303) return render_form(form=form, title="Assign permissions", formid="perm_assign", submit="Assign permissions", ajax=True)
def profile_edit(): form = ProfileForm() if request.method == 'GET': form.fullname.data = g.user.fullname form.username.data = g.user.username form.description.data = g.user.description elif form.validate_on_submit(): g.user.fullname = form.fullname.data g.user.username = form.username.data or None g.user.description = form.description.data db.session.commit() next_url = get_next_url() if(next_url is not None): return render_redirect(next_url) else: flash("Your profile was successfully edited.", category='info') return render_redirect(url_for('profile'), code=303) return render_form(form, title="Edit profile", formid="profile_edit", submit="Save changes", ajax=True)
def resource_edit(key, idr): client = Client.query.filter_by(key=key).first_or_404() if not client.owner_is(g.user): abort(403) resource = Resource.query.get_or_404(idr) if resource.client != client: abort(403) form = ResourceForm() form.edit_id = idr if request.method == 'GET': form.name.data = resource.name form.title.data = resource.title form.description.data = resource.description form.siteresource.data = resource.siteresource if form.validate_on_submit(): form.populate_obj(resource) db.session.commit() flash("Your resource has been edited", "info") return render_redirect(url_for('client_info', key=key), code=303) return render_form(form=form, title="Edit resource", formid="resource_edit", submit="Save changes", ajax=True)
def permission_user_edit(key, userid): client = Client.query.filter_by(key=key).first_or_404() if not client.owner_is(g.user): abort(403) if client.user: user = User.query.filter_by(userid=userid).first_or_404() available_perms = Permission.query.filter(db.or_( Permission.allusers == True, Permission.user == g.user)).order_by('name').all() permassign = UserClientPermissions.query.filter_by(user=user, client=client).first_or_404() elif client.org: team = Team.query.filter_by(userid=userid).first_or_404() available_perms = Permission.query.filter(db.or_( Permission.allusers == True, Permission.org == client.org)).order_by('name').all() permassign = TeamClientPermissions.query.filter_by(team=team, client=client).first_or_404() form = PermissionEditForm() form.perms.choices = [(ap.name, u"%s – %s" % (ap.name, ap.title)) for ap in available_perms] if request.method == 'GET': if permassign: form.perms.data = permassign.permissions.split(u' ') if form.validate_on_submit(): form.perms.data.sort() perms = u' '.join(form.perms.data) if not perms: db.session.delete(permassign) else: permassign.permissions = perms db.session.commit() if perms: if client.user: flash("Permissions have been updated for user %s" % user.pickername, "info") else: flash("Permissions have been updated for team '%s'" % team.title, "info") else: if client.user: flash("All permissions have been revoked for user %s" % user.pickername, "info") else: flash("All permissions have been revoked for team '%s'" % team.title, "info") return render_redirect(url_for('client_info', key=key), code=303) return render_form(form=form, title="Edit permissions", formid="perm_edit", submit="Save changes", ajax=True)
def permission_edit(id): perm = Permission.query.get_or_404(id) if not perm.owner_is(g.user): abort(403) form = PermissionForm(obj=perm) form.context.choices = available_client_owners() form.edit_obj = perm if request.method == 'GET': if perm.user: form.context.data = perm.user.userid else: form.context.data = perm.org.userid if form.validate_on_submit(): form.populate_obj(perm) perm.user = form.user perm.org = form.org db.session.commit() flash("Your permission has been saved", "info") return render_redirect(url_for('permission_list'), code=303) return render_form(form=form, title="Edit permission", formid="perm_edit", submit="Save changes", ajax=True)
def permission_user_edit(key, userid): client = Client.query.filter_by(key=key).first() if not client: abort(404) if client.user != g.user: abort(403) user = User.query.filter_by(userid=userid).first() if not user: abort(404) available_perms = Permission.query.filter(Permission.allusers == True or Permission.user == g.user).order_by('name').all() permassign = UserClientPermissions.query.filter_by(user=user, client=client).first() form = UserPermissionEditForm() form.perms.choices = [(ap.name, u"%s – %s" % (ap.name, ap.title)) for ap in available_perms] if request.method == 'GET': if permassign: form.perms.data = permassign.permissions.split(u' ') if form.validate_on_submit(): form.perms.data.sort() perms = u' '.join(form.perms.data) if not perms: # No permissions specified. Delete this assignment if permassign: db.session.delete(permassign) elif not permassign: permassign = UserClientPermissions(user=user, client=client) permassign.permissions = perms db.session.add(permassign) else: permassign.permissions = perms db.session.commit() if perms: flash("Permissions have been updated for user %s" % user.displayname(), "info") else: flash("All permissions have been revoked for user %s" % user.displayname(), "info") return render_redirect(url_for('client_info', key=key), code=303) return render_form(form=form, title="Edit permissions", formid="perm_edit", submit="Save changes", ajax=True)
def client_edit(key): client = Client.query.filter_by(key=key).first() if not client: abort(404) if client.user != g.user: abort(403) form = RegisterClientForm() if request.method == 'GET': form.title.data = client.title form.description.data = client.description form.owner.data = client.owner form.website.data = client.website form.redirect_uri.data = client.redirect_uri form.notification_uri.data = client.notification_uri form.resource_uri.data = client.resource_uri form.allow_any_login.data = client.allow_any_login if form.validate_on_submit(): form.populate_obj(client) db.session.commit() return render_redirect(url_for('client_info', key=client.key), code=303) return render_form(form=form, title="Edit application", formid="client_edit", submit="Save changes", ajax=True)