| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198 |
- from django.contrib import auth
- from django.core.exceptions import ValidationError
- from django.utils.translation import ugettext as _
- from django.views.decorators.csrf import csrf_protect
- from rest_framework import status, viewsets
- from rest_framework.decorators import api_view, permission_classes
- from rest_framework.response import Response
- from misago.conf import settings
- from misago.core.mail import mail_user
- from ..bans import get_user_ban
- from ..forms.auth import AuthenticationForm, ResendActivationForm, ResetPasswordForm
- from ..serializers import AnonymousUserSerializer, AuthenticatedUserSerializer
- from ..tokens import is_password_change_token_valid, make_activation_token, make_password_change_token
- from ..validators import validate_password
- from .rest_permissions import UnbannedAnonOnly, UnbannedOnly
- def gateway(request):
- if request.method == 'POST':
- return login(request)
- else:
- return session_user(request)
- """
- POST /auth/ with CSRF, username and password
- will attempt to authenticate new user
- """
- @api_view(['POST'])
- @permission_classes((UnbannedAnonOnly,))
- @csrf_protect
- def login(request):
- form = AuthenticationForm(request, data=request.data)
- if form.is_valid():
- auth.login(request, form.user_cache)
- return Response(AuthenticatedUserSerializer(form.user_cache).data)
- else:
- return Response(form.get_errors_dict(),
- status=status.HTTP_400_BAD_REQUEST)
- """
- GET /auth/ will return current auth user, either User or AnonymousUser
- """
- @api_view()
- def session_user(request):
- if request.user.is_authenticated():
- UserSerializer = AuthenticatedUserSerializer
- else:
- UserSerializer = AnonymousUserSerializer
- return Response(UserSerializer(request.user).data)
- """
- GET /auth/criteria/ will return password and username criteria for accounts
- """
- @api_view(['GET'])
- def get_criteria(request):
- criteria = {
- 'username': {
- 'min_length': settings.username_length_min,
- 'max_length': settings.username_length_max,
- },
- 'password': [],
- }
- for validator in settings.AUTH_PASSWORD_VALIDATORS:
- validator_dict = {
- 'name': validator['NAME'].split('.')[-1]
- }
- validator_dict.update(validator.get('OPTIONS', {}))
- criteria['password'].append(validator_dict)
- return Response(criteria)
- """
- POST /auth/send-activation/ with CSRF token and email
- will mail account activation link to requester
- """
- @api_view(['POST'])
- @permission_classes((UnbannedAnonOnly,))
- @csrf_protect
- def send_activation(request):
- form = ResendActivationForm(request.data)
- if form.is_valid():
- requesting_user = form.user_cache
- mail_subject = _("Activate %(user)s account on %(forum_name)s forums")
- subject_formats = {
- 'user': requesting_user.username,
- 'forum_name': settings.forum_name,
- }
- mail_subject = mail_subject % subject_formats
- mail_user(request, requesting_user, mail_subject,
- 'misago/emails/activation/by_user',
- {'activation_token': make_activation_token(requesting_user)})
- return Response({
- 'username': form.user_cache.username,
- 'email': form.user_cache.email
- })
- else:
- return Response(form.get_errors_dict(),
- status=status.HTTP_400_BAD_REQUEST)
- """
- POST /auth/send-password-form/ with CSRF token and email
- will mail change password form link to requester
- """
- @api_view(['POST'])
- @permission_classes((UnbannedOnly,))
- @csrf_protect
- def send_password_form(request):
- form = ResetPasswordForm(request.data)
- if form.is_valid():
- requesting_user = form.user_cache
- mail_subject = _("Change %(user)s password on %(forum_name)s forums")
- subject_formats = {
- 'user': requesting_user.username,
- 'forum_name': settings.forum_name,
- }
- mail_subject = mail_subject % subject_formats
- confirmation_token = make_password_change_token(requesting_user)
- mail_user(request, requesting_user, mail_subject,
- 'misago/emails/change_password_form_link',
- {'confirmation_token': confirmation_token})
- return Response({
- 'username': form.user_cache.username,
- 'email': form.user_cache.email
- })
- else:
- return Response(form.get_errors_dict(),
- status=status.HTTP_400_BAD_REQUEST)
- """
- POST /auth/change-password/user/token/ with CSRF and new password
- will change forgotten password
- """
- class PasswordChangeFailed(Exception):
- pass
- @api_view(['POST'])
- @permission_classes((UnbannedOnly,))
- @csrf_protect
- def change_forgotten_password(request, pk, token):
- User = auth.get_user_model()
- invalid_message = _("Form link is invalid. Please try again.")
- expired_message = _("Your link has expired. Please request new one.")
- try:
- try:
- user = User.objects.get(pk=pk, is_active=True)
- except User.DoesNotExist:
- raise PasswordChangeFailed(invalid_message)
- if request.user.is_authenticated() and request.user.id != user.id:
- raise PasswordChangeFailed(invalid_message)
- if not is_password_change_token_valid(user, token):
- raise PasswordChangeFailed(invalid_message)
- if user.requires_activation:
- raise PasswordChangeFailed(expired_message)
- if get_user_ban(user):
- raise PasswordChangeFailed(expired_message)
- except PasswordChangeFailed as e:
- return Response({
- 'detail': e.args[0]
- }, status=status.HTTP_400_BAD_REQUEST)
- try:
- new_password = request.data.get('password', '').strip()
- validate_password(new_password)
- user.set_password(new_password)
- user.save()
- except ValidationError as e:
- return Response({
- 'detail': e.messages[0]
- }, status=status.HTTP_400_BAD_REQUEST)
- return Response({
- 'username': user.username
- })
|
