From b4e8ce72262ac0e2172e19aaad0176b75772e559 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Fri, 29 Jun 2018 16:33:16 +0200
Subject: [PATCH 3/5] views: ask for new passord on unlink only if logged using
 FC (#24835)

---
 src/authentic2_auth_fc/views.py | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/src/authentic2_auth_fc/views.py b/src/authentic2_auth_fc/views.py
index e1d41f1..63aa9fa 100644
--- a/src/authentic2_auth_fc/views.py
+++ b/src/authentic2_auth_fc/views.py
@@ -478,30 +478,35 @@ class UnlinkView(LoggerMixin, FormView):
 
     def get_form_class(self):
         form_class = Form
-        if not self.request.user.has_usable_password():
+        if self.must_set_password():
             form_class = SET_PASSWORD_FORM_CLASS
         return form_class
 
     def get_form_kwargs(self, **kwargs):
         kwargs = super(UnlinkView, self).get_form_kwargs(**kwargs)
-        if not self.request.user.has_usable_password():
+        if self.must_set_password():
             kwargs['user'] = self.request.user
         return kwargs
 
+    def must_set_password(self):
+        for event in self.request.session.get(constants.AUTHENTICATION_EVENTS_SESSION_KEY, []):
+            if event['how'].startswith('password'):
+                return False
+        return True
+
     def dispatch(self, request, *args, **kwargs):
         if not request.user.is_authenticated():
             raise PermissionDenied()
         # We prevent unlinking if the user has no usable password and can't change it
         # because we assume that the password is the unique other mean of authentication
         # and unlinking would make the account unreachable.
-        if not request.user.has_usable_password() and not \
-                a2_app_settings.A2_REGISTRATION_CAN_CHANGE_PASSWORD:
+        if self.must_set_password() and not a2_app_settings.A2_REGISTRATION_CAN_CHANGE_PASSWORD:
             # Prevent access to the view.
             raise Http404
         return super(UnlinkView, self).dispatch(request, *args, **kwargs)
 
     def form_valid(self, form):
-        if not self.request.user.has_usable_password():
+        if self.must_set_password():
             form.save()
             self.logger.info(u'user %s has set a password', self.request.user)
         links = models.FcAccount.objects.filter(user=self.request.user)
@@ -514,7 +519,7 @@ class UnlinkView(LoggerMixin, FormView):
 
     def get_context_data(self, **kwargs):
         context = super(UnlinkView, self).get_context_data(**kwargs)
-        if not self.request.user.has_usable_password():
+        if self.must_set_password():
             context['no_password'] = True
         return context
 
-- 
2.18.0