Prevent unlinking if the user has no password and can't set it (fixes #10775).
Unlinking is now prevented if the user has no usable password and can't change it because A2_REGISTRATION_CAN_CHANGE_PASSWORD is False. For now it is thus assumed that the password is the unique other mean of authentication and unlinking would make the account unreachable. Also use A2_REGISTRATION_SET_PASSWORD_FORM_CLASS setting instead of importing the form.
This commit is contained in:
parent
922d075236
commit
121e62a9e8
|
@ -10,7 +10,7 @@ from requests_oauthlib import OAuth2Session
|
|||
|
||||
from django.views.generic import TemplateView, View, FormView
|
||||
from django.views.generic.detail import SingleObjectMixin
|
||||
from django.http import HttpResponse, HttpResponseRedirect
|
||||
from django.http import HttpResponse, HttpResponseRedirect, Http404
|
||||
from django.contrib.auth import authenticate, login as auth_login, \
|
||||
REDIRECT_FIELD_NAME
|
||||
from django.contrib.auth.decorators import user_passes_test
|
||||
|
@ -25,12 +25,16 @@ from django.core.exceptions import PermissionDenied
|
|||
from django.core.urlresolvers import reverse
|
||||
from django.forms import Form
|
||||
|
||||
from authentic2 import app_settings as a2_app_settings
|
||||
from authentic2 import utils as a2_utils
|
||||
from authentic2.registration_backend import forms as registration_forms
|
||||
|
||||
from . import app_settings, models, utils
|
||||
|
||||
|
||||
SET_PASSWORD_FORM_CLASS = a2_utils.import_module_or_class(
|
||||
a2_app_settings.A2_REGISTRATION_SET_PASSWORD_FORM_CLASS)
|
||||
|
||||
|
||||
def user_has_fcaccount(user):
|
||||
'''Return True if user a link to FC'''
|
||||
try:
|
||||
|
@ -361,7 +365,7 @@ class UnlinkView(LoggerMixin, SingleObjectMixin, FormView):
|
|||
def get_form_class(self):
|
||||
form_class = Form
|
||||
if not self.fc_account.user.has_usable_password():
|
||||
form_class = registration_forms.SetPasswordForm
|
||||
form_class = SET_PASSWORD_FORM_CLASS
|
||||
return form_class
|
||||
|
||||
def get_form_kwargs(self, **kwargs):
|
||||
|
@ -371,6 +375,13 @@ class UnlinkView(LoggerMixin, SingleObjectMixin, FormView):
|
|||
return kwargs
|
||||
|
||||
def dispatch(self, request, *args, **kwargs):
|
||||
# We prevent unlinking if the user has no usable password and can't change it
|
||||
# because we assume that the password is the unique other mean of authentication
|
||||
# and unlinking would make the account unreachable.
|
||||
if not request.user.has_usable_password() and not \
|
||||
a2_app_settings.A2_REGISTRATION_CAN_CHANGE_PASSWORD:
|
||||
# Prevent access to the view.
|
||||
raise Http404
|
||||
self.fc_account = self.object = self.get_object()
|
||||
self.check_access(self.fc_account)
|
||||
return super(UnlinkView, self).dispatch(request, *args, **kwargs)
|
||||
|
|
Loading…
Reference in New Issue