From 6d54ecc10a00ded30eaceb54eceb864324e79253 Mon Sep 17 00:00:00 2001 From: Roberto Rosario Date: Sat, 14 Jan 2017 17:13:03 -0400 Subject: [PATCH] Enable password validation on all the views and API endpoints that change password. --- docs/releases/2.2.rst | 1 + .../templates/appearance/generic_form_instance.html | 2 +- mayan/apps/user_management/forms.py | 8 ++++++++ mayan/apps/user_management/serializers.py | 7 +++++++ mayan/apps/user_management/views.py | 8 ++++++++ 5 files changed, 25 insertions(+), 1 deletion(-) diff --git a/docs/releases/2.2.rst b/docs/releases/2.2.rst index 183e46e6b9..8eba231437 100644 --- a/docs/releases/2.2.rst +++ b/docs/releases/2.2.rst @@ -39,6 +39,7 @@ on production install to debug errors live. using libtesseract. If libtesseract is not available the backend fallsback to calling the Tesseract executable. - Language list moved from document model to document form. +- Enable password validation for the user password change view, user password change API endpoint, current user view and current user API endpoint. Removals -------- diff --git a/mayan/apps/appearance/templates/appearance/generic_form_instance.html b/mayan/apps/appearance/templates/appearance/generic_form_instance.html index ac6cf98582..a65b594acd 100644 --- a/mayan/apps/appearance/templates/appearance/generic_form_instance.html +++ b/mayan/apps/appearance/templates/appearance/generic_form_instance.html @@ -78,7 +78,7 @@ {% else %} {% render_field field class+="form-control" %} {% endif %} - {% if field.help_text %}

{{ field.help_text }}

{% endif %} + {% if field.help_text %}

{{ field.help_text|safe }}

{% endif %} {% endfor %} {% endif %} diff --git a/mayan/apps/user_management/forms.py b/mayan/apps/user_management/forms.py index 097d3a6a08..ffce7fd4af 100644 --- a/mayan/apps/user_management/forms.py +++ b/mayan/apps/user_management/forms.py @@ -2,6 +2,7 @@ from __future__ import unicode_literals from django import forms from django.contrib.auth import get_user_model +from django.contrib.auth.password_validation import validate_password from django.core.exceptions import ValidationError from django.utils.translation import ugettext_lazy as _ @@ -20,10 +21,17 @@ class PasswordForm(forms.Form): label=_('Confirm password'), widget=forms.PasswordInput() ) + def __init__(self, *args, **kwargs): + self.user = kwargs.pop('user', None) + return super(PasswordForm, self).__init__(*args, **kwargs) + def clean(self): password_1 = self.cleaned_data['new_password_1'] password_2 = self.cleaned_data['new_password_2'] if password_1 != password_2: raise ValidationError('Passwords do not match.') + else: + if self.user: + validate_password(password_2, self.user) return self.cleaned_data diff --git a/mayan/apps/user_management/serializers.py b/mayan/apps/user_management/serializers.py index 2430629d35..0165b5e1f4 100644 --- a/mayan/apps/user_management/serializers.py +++ b/mayan/apps/user_management/serializers.py @@ -2,6 +2,7 @@ from __future__ import unicode_literals from django.contrib.auth import get_user_model from django.contrib.auth.models import Group +from django.contrib.auth.password_validation import validate_password from rest_framework import serializers @@ -59,3 +60,9 @@ class UserSerializer(serializers.HyperlinkedModelSerializer): instance.save() return instance + + def validate(self, data): + if 'password' in data: + validate_password(data['password'], self.instance) + + return data diff --git a/mayan/apps/user_management/views.py b/mayan/apps/user_management/views.py index 27128313fd..28eae4ff32 100644 --- a/mayan/apps/user_management/views.py +++ b/mayan/apps/user_management/views.py @@ -277,6 +277,14 @@ class UserSetPasswordView(MultipleObjectFormActionView): return result + def get_form_extra_kwargs(self): + queryset = self.get_queryset() + result = {} + if queryset: + result['user'] = queryset.first() + + return result + def object_action(self, form, instance): try: if instance.is_superuser or instance.is_staff: