views: ask for new passord on unlink only if logged using FC (#24835)

2018-06-29 16:33:16 +02:00 · 2018-06-29 16:33:16 +02:00 · a57a98cb5e
parent f4fce3490f
commit a57a98cb5e
1 changed files with 11 additions and 6 deletions
--- a/src/authentic2_auth_fc/views.py
+++ b/src/authentic2_auth_fc/views.py
@ -478,30 +478,35 @@ class UnlinkView(LoggerMixin, FormView):

    def get_form_class(self):
        form_class = Form
-        if not self.request.user.has_usable_password():
+        if self.must_set_password():
            form_class = SET_PASSWORD_FORM_CLASS
        return form_class

    def get_form_kwargs(self, **kwargs):
        kwargs = super(UnlinkView, self).get_form_kwargs(**kwargs)
-        if not self.request.user.has_usable_password():
+        if self.must_set_password():
            kwargs['user'] = self.request.user
        return kwargs

+    def must_set_password(self):
+        for event in self.request.session.get(constants.AUTHENTICATION_EVENTS_SESSION_KEY, []):
+            if event['how'].startswith('password'):
+                return False
+        return True
+
    def dispatch(self, request, *args, **kwargs):
        if not request.user.is_authenticated():
            raise PermissionDenied()
        # We prevent unlinking if the user has no usable password and can't change it
        # because we assume that the password is the unique other mean of authentication
        # and unlinking would make the account unreachable.
-        if not request.user.has_usable_password() and not \
-                a2_app_settings.A2_REGISTRATION_CAN_CHANGE_PASSWORD:
+        if self.must_set_password() and not a2_app_settings.A2_REGISTRATION_CAN_CHANGE_PASSWORD:
            # Prevent access to the view.
            raise Http404
        return super(UnlinkView, self).dispatch(request, *args, **kwargs)

    def form_valid(self, form):
-        if not self.request.user.has_usable_password():
+        if self.must_set_password():
            form.save()
            self.logger.info(u'user %s has set a password', self.request.user)
        links = models.FcAccount.objects.filter(user=self.request.user)
@ -514,7 +519,7 @@ class UnlinkView(LoggerMixin, FormView):

    def get_context_data(self, **kwargs):
        context = super(UnlinkView, self).get_context_data(**kwargs)
-        if not self.request.user.has_usable_password():
+        if self.must_set_password():
            context['no_password'] = True
        return context