0001-disable-password-change-for-LDAP-backend-without-use.patch
| src/authentic2/backends/ldap_backend.py | ||
|---|---|---|
| 182 | 182 |
self.set_unusable_password() |
| 183 | 183 | |
| 184 | 184 |
def has_usable_password(self): |
| 185 |
return self.block['user_can_change_password']
|
|
| 185 |
return True
|
|
| 186 | 186 | |
| 187 | 187 |
def get_connection(self): |
| 188 | 188 |
ldap_password = self.get_password_in_session() |
| ... | ... | |
| 210 | 210 |
def can_reset_password(self): |
| 211 | 211 |
return self.block['can_reset_password'] |
| 212 | 212 | |
| 213 |
def can_change_password(self): |
|
| 214 |
return app_settings.A2_REGISTRATION_CAN_CHANGE_PASSWORD and self.block['user_can_change_password'] |
|
| 215 | ||
| 213 | 216 | |
| 214 | 217 |
class LDAPBackend(object): |
| 215 | 218 |
_DEFAULTS = {
|
| src/authentic2/custom_user/models.py | ||
|---|---|---|
| 252 | 252 | |
| 253 | 253 |
def can_reset_password(self): |
| 254 | 254 |
return self.has_usable_password() |
| 255 | ||
| 256 |
def can_change_password(self): |
|
| 257 |
return app_settings.A2_REGISTRATION_CAN_CHANGE_PASSWORD |
|
| src/authentic2/profile_urls.py | ||
|---|---|---|
| 26 | 26 |
post_change_redirect = request.GET[REDIRECT_FIELD_NAME] |
| 27 | 27 |
elif post_change_redirect is None: |
| 28 | 28 |
post_change_redirect = reverse('account_management')
|
| 29 |
if not request.user.can_change_password(): |
|
| 30 |
messages.warning(request, _('Password change is forbidden'))
|
|
| 31 |
return redirect(request, post_change_redirect) |
|
| 29 | 32 |
if 'cancel' in request.POST: |
| 30 | 33 |
return redirect(request, post_change_redirect) |
| 31 | 34 |
kwargs['post_change_redirect'] = post_change_redirect |
| src/authentic2/templates/authentic2/login_password_profile.html | ||
|---|---|---|
| 1 | 1 |
{% load i18n %}
|
| 2 | 2 | |
| 3 |
{% if can_change_password %}
|
|
| 3 |
{% if user.can_change_password %}
|
|
| 4 | 4 |
<h4>{% trans "Password" %}</h4>
|
| 5 | 5 | |
| 6 | 6 |
<div> |
| 7 | 7 |
<p> |
| 8 | 8 |
<a href="{% url 'password_change' %}">
|
| 9 |
{% if has_usable_password %}
|
|
| 9 |
{% if user.has_usable_password %}
|
|
| 10 | 10 |
{% trans "Change your password" %}
|
| 11 | 11 |
{% else %}
|
| 12 | 12 |
{% trans "Set your password" %}
|
| src/authentic2/views.py | ||
|---|---|---|
| 501 | 501 |
'allow_account_deletion': app_settings.A2_REGISTRATION_CAN_DELETE_ACCOUNT, |
| 502 | 502 |
'allow_profile_edit': EditProfile.can_edit_profile(), |
| 503 | 503 |
'allow_email_change': app_settings.A2_PROFILE_CAN_CHANGE_EMAIL, |
| 504 |
'allow_password_change': app_settings.A2_REGISTRATION_CAN_CHANGE_PASSWORD, |
|
| 504 |
# TODO: deprecated should be removed when publik-base-theme is updated |
|
| 505 |
'allow_password_change': request.user.can_change_password(), |
|
| 505 | 506 |
'federation_management': federation_management, |
| 506 | 507 |
}) |
| 507 | 508 |
hooks.call_hooks('modify_context_data', self, context_instance)
|
| tests/test_ldap.py | ||
|---|---|---|
| 528 | 528 |
with pytest.raises(ldap.INVALID_CREDENTIALS): |
| 529 | 529 |
slapd.get_connection().bind_s(DN, PASS) |
| 530 | 530 |
assert not User.objects.get().has_usable_password() |
| 531 | ||
| 532 | ||
| 533 |
def test_user_cannot_change_password(slapd, settings, app, db): |
|
| 534 |
settings.LDAP_AUTH_SETTINGS = [{
|
|
| 535 |
'url': [slapd.ldap_url], |
|
| 536 |
'binddn': slapd.root_bind_dn, |
|
| 537 |
'bindpw': slapd.root_bind_password, |
|
| 538 |
'basedn': 'o=orga', |
|
| 539 |
'use_tls': False, |
|
| 540 |
'user_can_change_password': False, |
|
| 541 |
}] |
|
| 542 |
User = get_user_model() |
|
| 543 |
assert User.objects.count() == 0 |
|
| 544 |
# first login |
|
| 545 |
response = app.get('/login/')
|
|
| 546 |
response.form['username'] = USERNAME |
|
| 547 |
response.form['password'] = PASS |
|
| 548 |
response = response.form.submit('login-password-submit').follow()
|
|
| 549 |
response = response.click('Your account')
|
|
| 550 |
assert 'Password' not in response |
|
| 551 |
response = app.get('/accounts/password/change/')
|
|
| 552 |
assert response['Location'].endswith('/accounts/')
|
|
| 531 |
- |
|