implement forced password change for generated passwords

2021-02-08 18:30:54 +01:00
parent ed6594401c
commit 331e9627d6
7 changed files with 93 additions and 23 deletions
--- a/owrx/controllers/admin.py
+++ b/owrx/controllers/admin.py
@ -10,33 +10,36 @@ logger = logging.getLogger(__name__)


 class Authentication(object):
-    def isAuthenticated(self, request):
+    def getUser(self, request):
        if "owrx-session" not in request.cookies:
-            return False
+            return None
        session = SessionStorage.getSharedInstance().getSession(request.cookies["owrx-session"].value)
        if session is None:
-            return False
+            return None
        if "user" not in session:
-            return False
+            return None
        userList = UserList.getSharedInstance()
        try:
-            user = userList[session["user"]]
-            return user.is_enabled()
+            return userList[session["user"]]
        except KeyError:
-            return False
+            return None


 class AdminController(WebpageController):
    def __init__(self, handler, request, options):
        self.authentication = Authentication()
+        self.user = self.authentication.getUser(request)
        super().__init__(handler, request, options)

+    def isAuthorized(self):
+        return self.user is not None and self.user.is_enabled() and not self.user.must_change_password
+
    def handle_request(self):
        config = Config.get()
        if "webadmin_enabled" not in config or not config["webadmin_enabled"]:
            self.send_response("Web Admin is disabled", code=403)
            return
-        if self.authentication.isAuthenticated(self.request):
+        if self.isAuthorized():
            super().handle_request()
        else:
            target = "/login?{0}".format(parse.urlencode({"ref": self.request.path}))
--- a/owrx/controllers/profile.py
+++ b/owrx/controllers/profile.py
@ -0,0 +1,23 @@
+from owrx.controllers.admin import AdminController
+from owrx.users import UserList, DefaultPasswordClass
+from urllib.parse import parse_qs
+
+
+class ProfileController(AdminController):
+    def isAuthorized(self):
+        return self.user is not None and self.user.is_enabled() and self.user.must_change_password
+
+    def indexAction(self):
+        self.serve_template("pwchange.html", **self.template_variables())
+
+    def processPwChange(self):
+        data = parse_qs(self.get_body().decode("utf-8"))
+        data = {k: v[0] for k, v in data.items()}
+        userlist = UserList.getSharedInstance()
+        if "password" in data and "confirm" in data and data["password"] == data["confirm"]:
+            self.user.setPassword(DefaultPasswordClass(data["password"]), must_change_password=False)
+            userlist.store()
+            target = self.request.query["ref"][0] if "ref" in self.request.query else "/settings"
+        else:
+            target = "/pwchange"
+        self.send_redirect(target)
--- a/owrx/controllers/session.py
+++ b/owrx/controllers/session.py
@ -1,5 +1,5 @@
 from .template import WebpageController
-from urllib.parse import parse_qs
+from urllib.parse import parse_qs, urlencode
 from uuid import uuid4
 from http.cookies import SimpleCookie
 from owrx.users import UserList
@ -51,6 +51,8 @@ class SessionController(WebpageController):
                    cookie = SimpleCookie()
                    cookie["owrx-session"] = key
                    target = self.request.query["ref"][0] if "ref" in self.request.query else "/settings"
+                    if user.must_change_password:
+                        target = "/pwchange?{0}".format(urlencode({"ref": target}))
                    self.send_redirect(target, cookies=cookie)
                    return
        self.send_redirect("/login")