Implement change password

2020-12-04 23:07:19 +00:00 · 2020-12-04 23:07:19 +00:00 · 43aab057c8
parent bfcdd642fd
commit 43aab057c8
15 changed files with 88 additions and 53 deletions
--- a/app/blueprints/admin/admin.py
+++ b/app/blueprints/admin/admin.py
@ -177,7 +177,7 @@ class SwitchUserForm(FlaskForm):
@rank_required(UserRank.ADMIN)
 def switch_user():
 	form = SwitchUserForm(formdata=request.form)
-	if request.method == "POST" and form.validate():
+	if form.validate_on_submit():
 		user = User.query.filter_by(username=form["username"].data).first()
 		if user is None:
 			flash("Unable to find user", "danger")
--- a/app/blueprints/admin/licenseseditor.py
+++ b/app/blueprints/admin/licenseseditor.py
@ -48,7 +48,7 @@ def create_edit_license(name=None):
 	form = LicenseForm(formdata=request.form, obj=license)
 	if request.method == "GET" and license is None:
 		form.is_foss.data = True
-	elif request.method == "POST" and form.validate():
+	elif form.validate_on_submit():
 		if license is None:
 			license = License(form.name.data)
 			db.session.add(license)
--- a/app/blueprints/admin/tagseditor.py
+++ b/app/blueprints/admin/tagseditor.py
@ -60,7 +60,7 @@ def create_edit_tag(name=None):
 		abort(403)

 	form = TagForm(formdata=request.form, obj=tag)
-	if request.method == "POST" and form.validate():
+	if form.validate_on_submit():
 		if tag is None:
 			tag = Tag(form.title.data)
 			tag.description = form.description.data
--- a/app/blueprints/admin/versioneditor.py
+++ b/app/blueprints/admin/versioneditor.py
@ -46,7 +46,7 @@ def create_edit_version(name=None):
 			abort(404)

 	form = VersionForm(formdata=request.form, obj=version)
-	if request.method == "POST" and form.validate():
+	if form.validate_on_submit():
 		if version is None:
 			version = MinetestRelease(form.name.data)
 			db.session.add(version)
--- a/app/blueprints/admin/warningseditor.py
+++ b/app/blueprints/admin/warningseditor.py
@ -47,7 +47,7 @@ def create_edit_warning(name=None):
 			abort(404)

 	form = WarningForm(formdata=request.form, obj=warning)
-	if request.method == "POST" and form.validate():
+	if form.validate_on_submit():
 		if warning is None:
 			warning = ContentWarning(form.title.data, form.description.data)
 			db.session.add(warning)
--- a/app/blueprints/api/tokens.py
+++ b/app/blueprints/api/tokens.py
@ -80,7 +80,7 @@ def create_edit_token(username, id=None):
 	form = CreateAPIToken(formdata=request.form, obj=token)
 	form.package.query_factory = lambda: Package.query.filter_by(author=user).all()

-	if request.method == "POST" and form.validate():
+	if form.validate_on_submit():
 		if is_new:
 			token = APIToken()
 			token.owner = user
--- a/app/blueprints/github/init.py
+++ b/app/blueprints/github/init.py
@ -191,7 +191,7 @@ def setup_webhook():
 				redirect_uri=abs_url_for("github.callback_webhook", pid=pid))

 	form = SetupWebhookForm(formdata=request.form)
-	if request.method == "POST" and form.validate():
+	if form.validate_on_submit():
 		token = APIToken()
 		token.name = "GitHub Webhook for " + package.title
 		token.owner = current_user
--- a/app/blueprints/packages/packages.py
+++ b/app/blueprints/packages/packages.py
@ -286,7 +286,7 @@ def create_edit(author=None, name=None):
 	if request.method == "POST" and form.type.data == PackageType.TXP:
 		form.license.data = form.media_license.data

-	if request.method == "POST" and form.validate():
+	if form.validate_on_submit():
 		wasNew = False
 		if not package:
 			package = Package.query.filter_by(name=form["name"].data, author_id=author.id).first()
@ -468,7 +468,7 @@ def edit_maintainers(package):
 	if request.method == "GET":
 		form.maintainers_str.data = ", ".join([ x.username for x in package.maintainers if x != package.author ])

-	if request.method == "POST" and form.validate():
+	if form.validate_on_submit():
 		usernames = [x.strip().lower() for x in form.maintainers_str.data.split(",")]
 		users = User.query.filter(func.lower(User.username).in_(usernames)).all()

--- a/app/blueprints/packages/releases.py
+++ b/app/blueprints/packages/releases.py
@ -75,7 +75,7 @@ def create_release(package):
 		if request.method != "POST":
 			form["uploadOpt"].data = "vcs"

-	if request.method == "POST" and form.validate():
+	if form.validate_on_submit():
 		if form["uploadOpt"].data == "vcs":
 			rel = PackageRelease()
 			rel.package = package
@ -169,7 +169,7 @@ def edit_release(package, id):
 		# HACK: fix bug in wtforms
 		form.approved.data = release.approved

-	if request.method == "POST" and form.validate():
+	if form.validate_on_submit():
 		wasApproved = release.approved
 		if canEdit:
 			release.title = form["title"].data
@ -217,7 +217,7 @@ def bulk_change_release(package):

 	if request.method == "GET":
 		form.only_change_none.data = True
-	elif request.method == "POST" and form.validate():
+	elif form.validate_on_submit():
 		only_change_none = form.only_change_none.data

 		for release in package.releases.all():
--- a/app/blueprints/packages/reviews.py
+++ b/app/blueprints/packages/reviews.py
@ -59,7 +59,7 @@ def review(package):
 		form.comment.data = review.thread.replies[0].comment

 	# Validate and submit
-	elif request.method == "POST" and form.validate():
+	elif form.validate_on_submit():
 		was_new = False
 		if not review:
 			was_new = True
--- a/app/blueprints/packages/screenshots.py
+++ b/app/blueprints/packages/screenshots.py
@ -46,7 +46,7 @@ def create_screenshot(package):

 	# Initial form class from post data and default data
 	form = CreateScreenshotForm()
-	if request.method == "POST" and form.validate():
+	if form.validate_on_submit():
 		uploadedUrl, uploadedPath = doFileUpload(form.fileUpload.data, "image",
 				"a PNG or JPG image file")
 		if uploadedUrl is not None:
@ -85,7 +85,7 @@ def edit_screenshot(package, id):
 		# HACK: fix bug in wtforms
 		form.approved.data = screenshot.approved

-	if request.method == "POST" and form.validate():
+	if form.validate_on_submit():
 		if canEdit and form["delete"].data:
 			PackageScreenshot.query.filter_by(id=id).delete()

--- a/app/blueprints/threads/init.py
+++ b/app/blueprints/threads/init.py
@ -163,7 +163,7 @@ def edit_reply(id):
 		abort(403)

 	form = CommentForm(formdata=request.form, obj=reply)
-	if request.method == "POST" and form.validate():
+	if form.validate_on_submit():
 		comment = form.comment.data

 		msg = "Edited reply by {}".format(reply.author.display_name)
@ -271,7 +271,7 @@ def new():
 		form.title.data   = request.args.get("title") or ""

 	# Validate and submit
-	elif request.method == "POST" and form.validate():
+	elif form.validate_on_submit():
 		thread = Thread()
 		thread.author  = current_user
 		thread.title   = form.title.data
--- a/app/blueprints/users/account.py
+++ b/app/blueprints/users/account.py
@ -68,6 +68,13 @@ def handle_login(form):

@bp.route("/user/login/", methods=["GET", "POST"])
 def login():
+	if current_user.is_authenticated:
+		next = request.args.get("next")
+		if next and not is_safe_url(next):
+			abort(400)
+
+		return redirect(next or url_for("homepage.home"))
+
 	form = LoginForm(request.form)
 	if form.validate_on_submit():
 		ret = handle_login(form)
@ -134,10 +141,61 @@ class SetPasswordForm(FlaskForm):
 	password2 = PasswordField("Verify password", [InputRequired(), Length(8, 100)])
 	submit = SubmitField("Save")

+class ChangePasswordForm(FlaskForm):
+	old_password = PasswordField("Old password", [InputRequired(), Length(8, 100)])
+	password = PasswordField("New password", [InputRequired(), Length(8, 100)])
+	password2 = PasswordField("Verify password", [InputRequired(), Length(8, 100)])
+	submit = SubmitField("Save")
+
+
+def handle_set_password(form):
+	one = form.password.data
+	two = form.password2.data
+	if one != two:
+		flash("Passwords do not much", "danger")
+		return
+
+	current_user.password = make_flask_login_password(form.password.data)
+	db.session.commit()
+
+	flash("Your password has been changed successfully.", "success")
+
+	if hasattr(form, "email"):
+		newEmail = form.email.data
+		if newEmail != current_user.email and newEmail.strip() != "":
+			token = randomString(32)
+
+			ver = UserEmailVerification()
+			ver.user = current_user
+			ver.token = token
+			ver.email = newEmail
+			db.session.add(ver)
+			db.session.commit()
+
+			task = sendVerifyEmail.delay(newEmail, token)
+			return redirect(
+					url_for("tasks.check", id=task.id, r=url_for("users.profile", username=current_user.username)))
+
+	return redirect(url_for("homepage.home"))
+
+
@bp.route("/user/change-password/", methods=["GET", "POST"])
@login_required
 def change_password():
-	return "change"
+	form = ChangePasswordForm(request.form)
+
+	if current_user.email is None:
+		form.email.validators = [InputRequired(), Email()]
+
+	if form.validate_on_submit():
+		if check_password_hash(current_user.password, form.old_password.data):
+			ret = handle_set_password(form)
+			if ret:
+				return ret
+		else:
+			flash("Old password is incorrect", "danger")
+
+	return render_template("users/change_set_password.html", form=form)


@bp.route("/user/set-password/", methods=["GET", "POST"])
@ -150,39 +208,12 @@ def set_password():
 	if current_user.email is None:
 		form.email.validators = [InputRequired(), Email()]

-	if request.method == "POST" and form.validate():
-		one = form.password.data
-		two = form.password2.data
-		if one == two:
-			# Hash password
-			hashed_password = make_flask_login_password(form.password.data)
+	if form.validate_on_submit():
+		ret = handle_set_password(form)
+		if ret:
+			return ret

-			# Change password
-			current_user.password = hashed_password
-			db.session.commit()
-
-			# Prepare one-time system message
-			flash('Your password has been changed successfully.', 'success')
-
-			newEmail = form["email"].data
-			if newEmail != current_user.email and newEmail.strip() != "":
-				token = randomString(32)
-
-				ver = UserEmailVerification()
-				ver.user = current_user
-				ver.token = token
-				ver.email = newEmail
-				db.session.add(ver)
-				db.session.commit()
-
-				task = sendVerifyEmail.delay(newEmail, token)
-				return redirect(url_for("tasks.check", id=task.id, r=url_for("users.profile", username=current_user.username)))
-			else:
-				return redirect(url_for("users.login"))
-		else:
-			flash("Passwords do not match", "danger")
-
-	return render_template("users/set_password.html", form=form, optional=request.args.get("optional"))
+	return render_template("users/change_set_password.html", form=form, optional=request.args.get("optional"))


@bp.route("/user/verify/")
--- a/app/blueprints/users/profile.py
+++ b/app/blueprints/users/profile.py
@ -93,7 +93,7 @@ def profile(username):

 			if user.checkPerm(current_user, Permission.CHANGE_EMAIL):
 				newEmail = form["email"].data
-				if newEmail != user.email and newEmail.strip() != "":
+				if newEmail and newEmail != user.email and newEmail.strip() != "":
 					token = randomString(32)

 					msg = "Changed email of {}".format(user.display_name)
--- a/app/templates/users/change_set_password.html
+++ b/app/templates/users/change_set_password.html
@ -21,8 +21,8 @@
 <form action="" method="POST" class="form" role="form">
 	{{ form.hidden_tag() }}

-	{% if not current_user.email %}
-		{{ render_field(form.email, tabindex=230) }}
+	{% if form.email and not current_user.email %}
+		{{ render_field(form.email, tabindex=220) }}

 		<p>
 			Your email is needed to recover your account if you forget your
@ -31,6 +31,10 @@
 		</p>
 	{% endif %}

+	{% if form.old_password %}
+		{{ render_field(form.old_password, tabindex=230) }}
+	{% endif %}
+
 	{{ render_field(form.password, tabindex=230) }}
 	{{ render_field(form.password2, tabindex=240) }}