disable password change for LDAP backend without user_can_change_password (fixes #20731)
This commit is contained in:
parent
6aaa191217
commit
93b2cf189d
|
@ -182,7 +182,7 @@ class LDAPUser(get_user_model()):
|
|||
self.set_unusable_password()
|
||||
|
||||
def has_usable_password(self):
|
||||
return self.block['user_can_change_password']
|
||||
return True
|
||||
|
||||
def get_connection(self):
|
||||
ldap_password = self.get_password_in_session()
|
||||
|
@ -210,6 +210,9 @@ class LDAPUser(get_user_model()):
|
|||
def can_reset_password(self):
|
||||
return self.block['can_reset_password']
|
||||
|
||||
def can_change_password(self):
|
||||
return app_settings.A2_REGISTRATION_CAN_CHANGE_PASSWORD and self.block['user_can_change_password']
|
||||
|
||||
|
||||
class LDAPBackend(object):
|
||||
_DEFAULTS = {
|
||||
|
|
|
@ -252,3 +252,6 @@ class User(AbstractBaseUser, PermissionMixin):
|
|||
|
||||
def can_reset_password(self):
|
||||
return self.has_usable_password()
|
||||
|
||||
def can_change_password(self):
|
||||
return app_settings.A2_REGISTRATION_CAN_CHANGE_PASSWORD
|
||||
|
|
|
@ -27,6 +27,9 @@ def password_change_view(request, *args, **kwargs):
|
|||
post_change_redirect = request.GET[REDIRECT_FIELD_NAME]
|
||||
elif post_change_redirect is None:
|
||||
post_change_redirect = reverse('account_management')
|
||||
if not request.user.can_change_password():
|
||||
messages.warning(request, _('Password change is forbidden'))
|
||||
return redirect(request, post_change_redirect)
|
||||
if 'cancel' in request.POST:
|
||||
return redirect(request, post_change_redirect)
|
||||
kwargs['post_change_redirect'] = post_change_redirect
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
{% load i18n %}
|
||||
|
||||
{% if can_change_password %}
|
||||
{% if user.can_change_password %}
|
||||
<h4>{% trans "Password" %}</h4>
|
||||
|
||||
<div>
|
||||
<p>
|
||||
<a href="{% url 'password_change' %}">
|
||||
{% if has_usable_password %}
|
||||
{% if user.has_usable_password %}
|
||||
{% trans "Change your password" %}
|
||||
{% else %}
|
||||
{% trans "Set your password" %}
|
||||
|
|
|
@ -507,7 +507,8 @@ class ProfileView(cbv.TemplateNamesMixin, TemplateView):
|
|||
'allow_account_deletion': app_settings.A2_REGISTRATION_CAN_DELETE_ACCOUNT,
|
||||
'allow_profile_edit': EditProfile.can_edit_profile(),
|
||||
'allow_email_change': app_settings.A2_PROFILE_CAN_CHANGE_EMAIL,
|
||||
'allow_password_change': app_settings.A2_REGISTRATION_CAN_CHANGE_PASSWORD,
|
||||
# TODO: deprecated should be removed when publik-base-theme is updated
|
||||
'allow_password_change': request.user.can_change_password(),
|
||||
'federation_management': federation_management,
|
||||
})
|
||||
hooks.call_hooks('modify_context_data', self, context_instance)
|
||||
|
|
|
@ -528,3 +528,25 @@ def test_reset_password_ldap_user(slapd, settings, app, db):
|
|||
with pytest.raises(ldap.INVALID_CREDENTIALS):
|
||||
slapd.get_connection().bind_s(DN, PASS)
|
||||
assert not User.objects.get().has_usable_password()
|
||||
|
||||
|
||||
def test_user_cannot_change_password(slapd, settings, app, db):
|
||||
settings.LDAP_AUTH_SETTINGS = [{
|
||||
'url': [slapd.ldap_url],
|
||||
'binddn': slapd.root_bind_dn,
|
||||
'bindpw': slapd.root_bind_password,
|
||||
'basedn': 'o=orga',
|
||||
'use_tls': False,
|
||||
'user_can_change_password': False,
|
||||
}]
|
||||
User = get_user_model()
|
||||
assert User.objects.count() == 0
|
||||
# first login
|
||||
response = app.get('/login/')
|
||||
response.form['username'] = USERNAME
|
||||
response.form['password'] = PASS
|
||||
response = response.form.submit('login-password-submit').follow()
|
||||
response = response.click('Your account')
|
||||
assert 'Password' not in response
|
||||
response = app.get('/accounts/password/change/')
|
||||
assert response['Location'].endswith('/accounts/')
|
||||
|
|
Loading…
Reference in New Issue