From de0b31d7b6c2dcd9edc72c3dd2a103c8ef7ab1bd Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Fri, 3 May 2019 09:57:28 +0200
Subject: [PATCH] use utils.can_change_password() everywhere (#32760)

---
 src/authentic2/profile_urls.py                        |  4 ++--
 .../templates/authentic2/login_password_profile.html  |  4 ++--
 src/authentic2/utils.py                               |  6 +++++-
 src/authentic2/views.py                               | 11 ++++++-----
 4 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/src/authentic2/profile_urls.py b/src/authentic2/profile_urls.py
index 10538fed..f27ab78b 100644
--- a/src/authentic2/profile_urls.py
+++ b/src/authentic2/profile_urls.py
@@ -7,7 +7,7 @@ from django.contrib import messages
 from django.utils.translation import ugettext as _
 from django.views.decorators.debug import sensitive_post_parameters
 
-from authentic2.utils import import_module_or_class, redirect
+from authentic2.utils import import_module_or_class, redirect, user_can_change_password
 from . import app_settings, decorators, profile_views, hooks
 from .views import (logged_in, edit_profile, email_change, email_change_verify, profile)
 
@@ -27,7 +27,7 @@ def password_change_view(request, *args, **kwargs):
         post_change_redirect = request.GET[REDIRECT_FIELD_NAME]
     elif post_change_redirect is None:
         post_change_redirect = reverse('account_management')
-    if not request.user.can_change_password():
+    if not user_can_change_password(request=request):
         messages.warning(request, _('Password change is forbidden'))
         return redirect(request, post_change_redirect)
     if 'cancel' in request.POST:
diff --git a/src/authentic2/templates/authentic2/login_password_profile.html b/src/authentic2/templates/authentic2/login_password_profile.html
index 90febe6d..8b359bae 100644
--- a/src/authentic2/templates/authentic2/login_password_profile.html
+++ b/src/authentic2/templates/authentic2/login_password_profile.html
@@ -1,12 +1,12 @@
 {% load i18n %}
 
-{% if user.can_change_password %}
+{% if can_change_password %}
 <h4>{% trans "Password" %}</h4>
 
 <div>
   <p>
     <a href="{% url 'password_change' %}">
-      {% if user.has_usable_password %}
+      {% if has_usable_password %}
         {% trans "Change your password" %}
       {% else %}
         {% trans "Set your password" %}
diff --git a/src/authentic2/utils.py b/src/authentic2/utils.py
index 616be58f..baf20d8f 100644
--- a/src/authentic2/utils.py
+++ b/src/authentic2/utils.py
@@ -1098,10 +1098,14 @@ def get_user_flag(user, name, default=None):
     return default
 
 
-def user_can_change_password(user, request=None):
+def user_can_change_password(user=None, request=None):
     from . import hooks
     if not app_settings.A2_REGISTRATION_CAN_CHANGE_PASSWORD:
         return False
+    if request is not None and user is None and hasattr(request, 'user'):
+        user = request.user
+    if user is not None and hasattr(user, 'can_change_password') and user.can_change_password() is False:
+        return False
     for can in hooks.call_hooks('user_can_change_password', user=user, request=request):
         if can is False:
             return can
diff --git a/src/authentic2/views.py b/src/authentic2/views.py
index 6a67a5de..fdcc6022 100644
--- a/src/authentic2/views.py
+++ b/src/authentic2/views.py
@@ -502,7 +502,7 @@ class ProfileView(cbv.TemplateNamesMixin, TemplateView):
             'allow_profile_edit': EditProfile.can_edit_profile(),
             'allow_email_change': app_settings.A2_PROFILE_CAN_CHANGE_EMAIL,
             # TODO: deprecated should be removed when publik-base-theme is updated
-            'allow_password_change': utils.user_can_change_password(user=request.user, request=request),
+            'allow_password_change': utils.user_can_change_password(request=request),
             'federation_management': federation_management,
         })
         hooks.call_hooks('modify_context_data', self, context)
@@ -581,11 +581,12 @@ def logout(request, next_url=None, default_next_url='auth_homepage',
 
 def login_password_profile(request, *args, **kwargs):
     context = kwargs.pop('context', {})
-    can_change_password = utils.user_can_change_password(user=request.user, request=request)
+    can_change_password = utils.user_can_change_password(request=request)
     has_usable_password = request.user.has_usable_password()
-    context.update(
-        {'can_change_password': can_change_password,
-         'has_usable_password': has_usable_password})
+    context.update({
+        'can_change_password': can_change_password,
+        'has_usable_password': has_usable_password,
+    })
     return render_to_string(['auth/login_password_profile.html',
                              'authentic2/login_password_profile.html'],
                             context, request=request)
-- 
2.20.1