0001-disable-password-change-for-LDAP-backend-without-use.patch
src/authentic2/backends/ldap_backend.py | ||
---|---|---|
182 | 182 |
self.set_unusable_password() |
183 | 183 | |
184 | 184 |
def has_usable_password(self): |
185 |
return self.block['user_can_change_password']
|
|
185 |
return True
|
|
186 | 186 | |
187 | 187 |
def get_connection(self): |
188 | 188 |
ldap_password = self.get_password_in_session() |
... | ... | |
210 | 210 |
def can_reset_password(self): |
211 | 211 |
return self.block['can_reset_password'] |
212 | 212 | |
213 |
def can_change_password(self): |
|
214 |
return app_settings.A2_REGISTRATION_CAN_CHANGE_PASSWORD and self.block['user_can_change_password'] |
|
215 | ||
213 | 216 | |
214 | 217 |
class LDAPBackend(object): |
215 | 218 |
_DEFAULTS = { |
src/authentic2/custom_user/models.py | ||
---|---|---|
252 | 252 | |
253 | 253 |
def can_reset_password(self): |
254 | 254 |
return self.has_usable_password() |
255 | ||
256 |
def can_change_password(self): |
|
257 |
return app_settings.A2_REGISTRATION_CAN_CHANGE_PASSWORD |
src/authentic2/profile_urls.py | ||
---|---|---|
26 | 26 |
post_change_redirect = request.GET[REDIRECT_FIELD_NAME] |
27 | 27 |
elif post_change_redirect is None: |
28 | 28 |
post_change_redirect = reverse('account_management') |
29 |
if not request.user.can_change_password(): |
|
30 |
messages.warning(request, _('Password change is forbidden')) |
|
31 |
return redirect(request, post_change_redirect) |
|
29 | 32 |
if 'cancel' in request.POST: |
30 | 33 |
return redirect(request, post_change_redirect) |
31 | 34 |
kwargs['post_change_redirect'] = post_change_redirect |
src/authentic2/templates/authentic2/login_password_profile.html | ||
---|---|---|
1 | 1 |
{% load i18n %} |
2 | 2 | |
3 |
{% if can_change_password %} |
|
3 |
{% if user.can_change_password %}
|
|
4 | 4 |
<h4>{% trans "Password" %}</h4> |
5 | 5 | |
6 | 6 |
<div> |
7 | 7 |
<p> |
8 | 8 |
<a href="{% url 'password_change' %}"> |
9 |
{% if has_usable_password %} |
|
9 |
{% if user.has_usable_password %}
|
|
10 | 10 |
{% trans "Change your password" %} |
11 | 11 |
{% else %} |
12 | 12 |
{% trans "Set your password" %} |
src/authentic2/views.py | ||
---|---|---|
501 | 501 |
'allow_account_deletion': app_settings.A2_REGISTRATION_CAN_DELETE_ACCOUNT, |
502 | 502 |
'allow_profile_edit': EditProfile.can_edit_profile(), |
503 | 503 |
'allow_email_change': app_settings.A2_PROFILE_CAN_CHANGE_EMAIL, |
504 |
'allow_password_change': app_settings.A2_REGISTRATION_CAN_CHANGE_PASSWORD, |
|
504 |
# TODO: deprecated should be removed when publik-base-theme is updated |
|
505 |
'allow_password_change': request.user.can_change_password(), |
|
505 | 506 |
'federation_management': federation_management, |
506 | 507 |
}) |
507 | 508 |
hooks.call_hooks('modify_context_data', self, context_instance) |
tests/test_ldap.py | ||
---|---|---|
528 | 528 |
with pytest.raises(ldap.INVALID_CREDENTIALS): |
529 | 529 |
slapd.get_connection().bind_s(DN, PASS) |
530 | 530 |
assert not User.objects.get().has_usable_password() |
531 | ||
532 | ||
533 |
def test_user_cannot_change_password(slapd, settings, app, db): |
|
534 |
settings.LDAP_AUTH_SETTINGS = [{ |
|
535 |
'url': [slapd.ldap_url], |
|
536 |
'binddn': slapd.root_bind_dn, |
|
537 |
'bindpw': slapd.root_bind_password, |
|
538 |
'basedn': 'o=orga', |
|
539 |
'use_tls': False, |
|
540 |
'user_can_change_password': False, |
|
541 |
}] |
|
542 |
User = get_user_model() |
|
543 |
assert User.objects.count() == 0 |
|
544 |
# first login |
|
545 |
response = app.get('/login/') |
|
546 |
response.form['username'] = USERNAME |
|
547 |
response.form['password'] = PASS |
|
548 |
response = response.form.submit('login-password-submit').follow() |
|
549 |
response = response.click('Your account') |
|
550 |
assert 'Password' not in response |
|
551 |
response = app.get('/accounts/password/change/') |
|
552 |
assert response['Location'].endswith('/accounts/') |
|
531 |
- |