From 7902477b7bf0472d4fa3d3ea2aba8103e0b32e03 Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Wed, 27 Jun 2018 20:00:57 +0200 Subject: [PATCH 3/3] app_settings: set password to random value by default (#24835) --- src/authentic2_auth_fc/app_settings.py | 1 + src/authentic2_auth_fc/views.py | 17 +++++++++++------ tests/test_auth_fc.py | 3 +++ 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/src/authentic2_auth_fc/app_settings.py b/src/authentic2_auth_fc/app_settings.py index 9ce9a26..935b206 100644 --- a/src/authentic2_auth_fc/app_settings.py +++ b/src/authentic2_auth_fc/app_settings.py @@ -70,6 +70,7 @@ class AppSettings(object): 'last_name': 'family_name', 'first_name': 'given_name', 'email': 'email', + 'password': {'compute': 'random'}, }) @property diff --git a/src/authentic2_auth_fc/views.py b/src/authentic2_auth_fc/views.py index e1d41f1..63aa9fa 100644 --- a/src/authentic2_auth_fc/views.py +++ b/src/authentic2_auth_fc/views.py @@ -478,30 +478,35 @@ class UnlinkView(LoggerMixin, FormView): def get_form_class(self): form_class = Form - if not self.request.user.has_usable_password(): + if self.must_set_password(): form_class = SET_PASSWORD_FORM_CLASS return form_class def get_form_kwargs(self, **kwargs): kwargs = super(UnlinkView, self).get_form_kwargs(**kwargs) - if not self.request.user.has_usable_password(): + if self.must_set_password(): kwargs['user'] = self.request.user return kwargs + def must_set_password(self): + for event in self.request.session.get(constants.AUTHENTICATION_EVENTS_SESSION_KEY, []): + if event['how'].startswith('password'): + return False + return True + def dispatch(self, request, *args, **kwargs): if not request.user.is_authenticated(): raise PermissionDenied() # We prevent unlinking if the user has no usable password and can't change it # because we assume that the password is the unique other mean of authentication # and unlinking would make the account unreachable. - if not request.user.has_usable_password() and not \ - a2_app_settings.A2_REGISTRATION_CAN_CHANGE_PASSWORD: + if self.must_set_password() and not a2_app_settings.A2_REGISTRATION_CAN_CHANGE_PASSWORD: # Prevent access to the view. raise Http404 return super(UnlinkView, self).dispatch(request, *args, **kwargs) def form_valid(self, form): - if not self.request.user.has_usable_password(): + if self.must_set_password(): form.save() self.logger.info(u'user %s has set a password', self.request.user) links = models.FcAccount.objects.filter(user=self.request.user) @@ -514,7 +519,7 @@ class UnlinkView(LoggerMixin, FormView): def get_context_data(self, **kwargs): context = super(UnlinkView, self).get_context_data(**kwargs) - if not self.request.user.has_usable_password(): + if self.must_set_password(): context['no_password'] = True return context diff --git a/tests/test_auth_fc.py b/tests/test_auth_fc.py index 7a132d6..9cb63b6 100644 --- a/tests/test_auth_fc.py +++ b/tests/test_auth_fc.py @@ -109,6 +109,9 @@ def test_login(app, fc_settings, caplog, exp): # we must be connected assert app.session['_auth_user_id'] assert models.FcAccount.objects.count() == 1 + # by default we set a random password on new users, so they can use the + # recover my password form + assert User.objects.get().has_usable_password() response = app.get('/accounts/') response = response.click('Delete link') response.form.set('new_password1', 'ikKL1234') -- 2.18.0