def route_recover_with_secret(secret): # check we have the right token user = db.session.query(User).filter(User.password_recovery == secret).first() if not user: flash('No user with that recovery password', 'danger') return redirect(url_for('main.route_index'), 302) # user has since been disabled if user.auth_type == 'disabled': flash('User has been disabled since the recovery email was sent', 'danger') return redirect(url_for('main.route_index'), 302) # user waited too long if datetime.datetime.utcnow() > user.password_recovery_ts + datetime.timedelta(hours=24): flash('More than 24 hours elapsed since the recovery email was sent', 'warning') return redirect(url_for('main.route_index'), 302) # password is stored hashed password = _generate_password() user.password = password user.password_ts = None user.password_recovery = None user.password_recovery_ts = None user.mtime = datetime.datetime.utcnow() db.session.commit() # send email send_email("[LVFS] Your password has been reset", user.email_address, render_template('email-recover-password.txt', user=user, password=password)) flash('Your password has been reset and an email has been sent with the new details', 'info') return redirect(url_for('main.route_index'), 302)
def route_reset_by_admin(user_id): """ Reset the users password """ # check exists user = db.session.query(User).filter(User.user_id == user_id).first() if not user: flash('No user matched!', 'danger') return redirect(url_for('main.route_dashboard'), 422) # security check if not user.vendor.check_acl('@manage-users'): flash('Permission denied: Unable to modify user as non-admin', 'danger') return redirect(url_for('main.route_dashboard')) # password is stored hashed password = _generate_password() user.password = password user.mtime = datetime.datetime.utcnow() user.password_ts = None db.session.commit() # send email send_email("[LVFS] Your password has been reset", user.email_address, render_template('email-modify-password.txt', user=user, password=password)) flash('Password has been reset and an email has been sent to the user', 'info') return redirect(url_for('users.route_admin', user_id=user_id))
def route_user_create(vendor_id): """ Add a user to the vendor """ # check exists vendor = db.session.query(Vendor).filter(Vendor.vendor_id == vendor_id).first() if not vendor: flash('Failed to modify vendor: No a vendor with that group ID', 'warning') return redirect(url_for('vendors.route_list'), 302) # security check if not vendor.check_acl('@manage-users'): flash('Permission denied: Unable to modify vendor as non-admin', 'danger') return redirect(url_for('vendors.route_show', vendor_id=vendor_id)) if not 'username' in request.form or not request.form['username']: flash('Unable to add user as no username', 'danger') return redirect(url_for('vendors.route_show', vendor_id=vendor_id)) if not 'display_name' in request.form: flash('Unable to add user as no display_name', 'danger') return redirect(url_for('vendors.route_show', vendor_id=vendor_id)) username = request.form['username'].lower() user = db.session.query(User).filter(User.username == username).first() if user: flash('Failed to add user: Username already exists', 'warning') return redirect(url_for('vendors.route_users', vendor_id=vendor_id), 302) # verify email if not _email_check(username): flash('Failed to add user: Invalid email address', 'warning') return redirect(url_for('users.route_list'), 302) # verify the username matches the allowed vendor glob if not g.user.check_acl('@admin'): if not vendor.username_glob: flash('Failed to add user: '******'Admin has not set the account policy for this vendor', 'warning') return redirect(url_for('vendors.route_users', vendor_id=vendor_id), 302) if not _verify_username_vendor_glob(username, vendor.username_glob): flash('Failed to add user: '******'Email address does not match account policy %s' % vendor.username_glob, 'warning') return redirect(url_for('vendors.route_users', vendor_id=vendor_id), 302) # add user if g.user.vendor.oauth_domain_glob: user = User(username=username, display_name=request.form['display_name'], auth_type='oauth', vendor_id=vendor.vendor_id) else: user = User(username=username, display_name=request.form['display_name'], auth_type='local', otp_secret=_otp_hash(), vendor_id=vendor.vendor_id) # this is stored hashed password = _generate_password() user.password = password db.session.add(user) db.session.commit() # send email if user.auth_type == 'local': send_email("[LVFS] An account has been created", user.email_address, render_template('email-confirm.txt', user=user, password=password)) # done! flash('Added user %i' % user.user_id, 'info') return redirect(url_for('vendors.route_users', vendor_id=vendor_id), 302)