Prevent unlinking if the user has no password and can't set it (fixes #10775).

Unlinking is now prevented if the user has no usable password and can't change it because A2_REGISTRATION_CAN_CHANGE_PASSWORD is False. For now it is thus assumed that the password is the unique other mean of authentication and unlinking would make the account unreachable. Also use A2_REGISTRATION_SET_PASSWORD_FORM_CLASS setting instead of importing the form.
2016-04-29 10:13:20 +02:00 · 2016-04-29 10:13:20 +02:00 · 121e62a9e8
parent 922d075236
commit 121e62a9e8
1 changed files with 14 additions and 3 deletions
--- a/src/authentic2_auth_fc/views.py
+++ b/src/authentic2_auth_fc/views.py
@ -10,7 +10,7 @@ from requests_oauthlib import OAuth2Session

 from django.views.generic import TemplateView, View, FormView
 from django.views.generic.detail import SingleObjectMixin
-from django.http import HttpResponse, HttpResponseRedirect
+from django.http import HttpResponse, HttpResponseRedirect, Http404
 from django.contrib.auth import authenticate, login as auth_login, \
    REDIRECT_FIELD_NAME
 from django.contrib.auth.decorators import user_passes_test
@ -25,12 +25,16 @@ from django.core.exceptions import PermissionDenied
 from django.core.urlresolvers import reverse
 from django.forms import Form

+from authentic2 import app_settings as a2_app_settings
 from authentic2 import utils as a2_utils
-from authentic2.registration_backend import forms as registration_forms

 from . import app_settings, models, utils


+SET_PASSWORD_FORM_CLASS = a2_utils.import_module_or_class(
+        a2_app_settings.A2_REGISTRATION_SET_PASSWORD_FORM_CLASS)
+
+
 def user_has_fcaccount(user):
    '''Return True if user a link to FC'''
    try:
@ -361,7 +365,7 @@ class UnlinkView(LoggerMixin, SingleObjectMixin, FormView):
    def get_form_class(self):
        form_class = Form
        if not self.fc_account.user.has_usable_password():
-            form_class = registration_forms.SetPasswordForm
+            form_class = SET_PASSWORD_FORM_CLASS
        return form_class

    def get_form_kwargs(self, **kwargs):
@ -371,6 +375,13 @@ class UnlinkView(LoggerMixin, SingleObjectMixin, FormView):
        return kwargs

    def dispatch(self, request, *args, **kwargs):
+        # We prevent unlinking if the user has no usable password and can't change it
+        # because we assume that the password is the unique other mean of authentication
+        # and unlinking would make the account unreachable.
+        if not request.user.has_usable_password() and not \
+                a2_app_settings.A2_REGISTRATION_CAN_CHANGE_PASSWORD:
+            # Prevent access to the view.
+            raise Http404
        self.fc_account = self.object = self.get_object()
        self.check_access(self.fc_account)
        return super(UnlinkView, self).dispatch(request, *args, **kwargs)