Enable password validation on all the views and API endpoints that change password.

2017-01-14 17:13:03 -04:00
parent da27edf981
commit 6d54ecc10a
5 changed files with 25 additions and 1 deletions
--- a/docs/releases/2.2.rst
+++ b/docs/releases/2.2.rst
@@ -39,6 +39,7 @@ on production install to debug errors live.
 using libtesseract. If libtesseract is not available the backend fallsback to
 calling the Tesseract executable.
 - Language list moved from document model to document form.
+- Enable password validation for the user password change view, user password change API endpoint, current user view and current user API endpoint.

 Removals
 --------
--- a/mayan/apps/appearance/templates/appearance/generic_form_instance.html
+++ b/mayan/apps/appearance/templates/appearance/generic_form_instance.html
@@ -78,7 +78,7 @@
                {% else %}
                    {% render_field field class+="form-control" %}
                {% endif %}
-                {% if field.help_text %}<p class="help-block">{{ field.help_text }}</p>{% endif %}
+                {% if field.help_text %}<p class="help-block">{{ field.help_text|safe }}</p>{% endif %}
            </div>
        {% endfor %}
 {% endif %}
--- a/mayan/apps/user_management/forms.py
+++ b/mayan/apps/user_management/forms.py
@@ -2,6 +2,7 @@ from __future__ import unicode_literals

 from django import forms
 from django.contrib.auth import get_user_model
+from django.contrib.auth.password_validation import validate_password
 from django.core.exceptions import ValidationError
 from django.utils.translation import ugettext_lazy as _

@@ -20,10 +21,17 @@ class PasswordForm(forms.Form):
        label=_('Confirm password'), widget=forms.PasswordInput()
    )

+    def __init__(self, *args, **kwargs):
+        self.user = kwargs.pop('user', None)
+        return super(PasswordForm, self).__init__(*args, **kwargs)
+
    def clean(self):
        password_1 = self.cleaned_data['new_password_1']
        password_2 = self.cleaned_data['new_password_2']
        if password_1 != password_2:
            raise ValidationError('Passwords do not match.')
+        else:
+            if self.user:
+                validate_password(password_2, self.user)

        return self.cleaned_data
--- a/mayan/apps/user_management/serializers.py
+++ b/mayan/apps/user_management/serializers.py
@@ -2,6 +2,7 @@ from __future__ import unicode_literals

 from django.contrib.auth import get_user_model
 from django.contrib.auth.models import Group
+from django.contrib.auth.password_validation import validate_password

 from rest_framework import serializers

@@ -59,3 +60,9 @@ class UserSerializer(serializers.HyperlinkedModelSerializer):
        instance.save()

        return instance
+
+    def validate(self, data):
+        if 'password' in data:
+            validate_password(data['password'], self.instance)
+
+        return data
--- a/mayan/apps/user_management/views.py
+++ b/mayan/apps/user_management/views.py
@@ -277,6 +277,14 @@ class UserSetPasswordView(MultipleObjectFormActionView):

        return result

+    def get_form_extra_kwargs(self):
+        queryset = self.get_queryset()
+        result = {}
+        if queryset:
+            result['user'] = queryset.first()
+
+        return result
+
    def object_action(self, form, instance):
        try:
            if instance.is_superuser or instance.is_staff: