From 1c5c1fe94d7c4d54868f12b0c5eeffb6da11d0cf Mon Sep 17 00:00:00 2001 From: Ludovic Stephan Date: Sat, 7 Jan 2017 12:47:43 -0200 Subject: [PATCH 1/7] can change own password --- kfet/views.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kfet/views.py b/kfet/views.py index 7083d489..3f5def55 100644 --- a/kfet/views.py +++ b/kfet/views.py @@ -402,7 +402,8 @@ def account_update(request, trigramme): account_form.save(data = data) # Checking perm to update password - if (request.user.has_perm('kfet.change_account_password') + if ((request.user.has_perm('kfet.change_account_password') + or request.user = account.user) and pwd_form.is_valid()): pwd = pwd_form.cleaned_data['pwd1'] pwd_sha256 = hashlib.sha256(pwd.encode('utf-8')).hexdigest() From 2a20beeb5923b0b4ee2d0e4047bbb27ef2b77507 Mon Sep 17 00:00:00 2001 From: Ludovic Stephan Date: Sat, 7 Jan 2017 13:28:53 -0200 Subject: [PATCH 2/7] pep8 --- kfet/views.py | 119 ++++++++++++++++++++++++++++++-------------------- 1 file changed, 71 insertions(+), 48 deletions(-) diff --git a/kfet/views.py b/kfet/views.py index 3f5def55..d0319c7f 100644 --- a/kfet/views.py +++ b/kfet/views.py @@ -1,45 +1,56 @@ # -*- coding: utf-8 -*- -from __future__ import (absolute_import, division, - print_function, unicode_literals) -from builtins import * - from django.shortcuts import render, get_object_or_404, redirect -from django.core.exceptions import PermissionDenied, ValidationError +from django.core.exceptions import PermissionDenied from django.core.cache import cache from django.views.generic import ListView, DetailView -from django.views.generic.edit import CreateView, UpdateView, DeleteView, FormView +from django.views.generic.edit import CreateView, UpdateView from django.core.urlresolvers import reverse_lazy from django.contrib import messages from django.contrib.messages.views import SuccessMessageMixin from django.contrib.auth import authenticate, login from django.contrib.auth.decorators import login_required, permission_required from django.contrib.auth.models import User, Permission, Group -from django.http import HttpResponse, JsonResponse, Http404 -from django.forms import modelformset_factory, formset_factory -from django.db import IntegrityError, transaction -from django.db.models import F, Sum, Prefetch, Count, Func +from django.http import JsonResponse, Http404 +from django.forms import formset_factory +from django.db import transaction +from django.db.models import F, Sum, Prefetch, Count from django.db.models.functions import Coalesce from django.utils import timezone from django.utils.crypto import get_random_string from gestioncof.models import CofProfile, Clipper from kfet.decorators import teamkfet_required -from kfet.models import (Account, Checkout, Article, Settings, AccountNegative, +from kfet.models import ( + Account, Checkout, Article, Settings, AccountNegative, CheckoutStatement, GenericTeamToken, Supplier, SupplierArticle, Inventory, - InventoryArticle, Order, OrderArticle) -from kfet.forms import * + InventoryArticle, Order, OrderArticle, Operation, OperationGroup, + TransferGroup, Transfer) +from kfet.forms import ( + AccountTriForm, AccountBalanceForm, AccountNoTriForm, UserForm, CofForm, + UserRestrictTeamForm, UserGroupForm, AccountForm, CofRestrictForm, + AccountPwdForm, AccountNegativeForm, UserRestrictForm, AccountRestrictForm, + GroupForm, CheckoutForm, CheckoutRestrictForm, CheckoutStatementCreateForm, + CheckoutStatementUpdateForm, ArticleForm, ArticleRestrictForm, + KPsulOperationGroupForm, KPsulAccountForm, KPsulCheckoutForm, + KPsulOperationFormSet, AddcostForm, FilterHistoryForm, SettingsForm, + TransferFormSet, InventoryArticleForm, OrderArticleForm, + OrderArticleToInventoryForm + ) from collections import defaultdict from kfet import consumers from datetime import timedelta +from decimal import Decimal import django_cas_ng import hashlib import heapq import statistics + @login_required def home(request): return render(request, "kfet/base.html") + @teamkfet_required def login_genericteam(request): # Check si besoin de déconnecter l'utilisateur de CAS @@ -345,6 +356,7 @@ def account_read(request, trigramme): # Account - Update + @login_required def account_update(request, trigramme): account = get_object_or_404(Account, trigramme=trigramme) @@ -355,39 +367,43 @@ def account_update(request, trigramme): raise PermissionDenied if request.user.has_perm('kfet.is_team'): - user_form = UserRestrictTeamForm(instance=account.user) - group_form = UserGroupForm(instance=account.user) + user_form = UserRestrictTeamForm(instance=account.user) + group_form = UserGroupForm(instance=account.user) account_form = AccountForm(instance=account) - cof_form = CofRestrictForm(instance=account.cofprofile) - pwd_form = AccountPwdForm() + cof_form = CofRestrictForm(instance=account.cofprofile) + pwd_form = AccountPwdForm() if account.balance < 0 and not hasattr(account, 'negative'): - AccountNegative.objects.create(account=account, start=timezone.now()) + AccountNegative.objects.create(account=account, + start=timezone.now()) account.refresh_from_db() if hasattr(account, 'negative'): negative_form = AccountNegativeForm(instance=account.negative) else: negative_form = None else: - user_form = UserRestrictForm(instance=account.user) + user_form = UserRestrictForm(instance=account.user) account_form = AccountRestrictForm(instance=account) - cof_form = None - group_form = None + cof_form = None + group_form = None negative_form = None - pwd_form = None + pwd_form = None if request.method == "POST": # Update attempt - success = False + success = False missing_perm = True if request.user.has_perm('kfet.is_team'): account_form = AccountForm(request.POST, instance=account) - cof_form = CofRestrictForm(request.POST, instance=account.cofprofile) - user_form = UserRestrictTeamForm(request.POST, instance=account.user) - group_form = UserGroupForm(request.POST, instance=account.user) - pwd_form = AccountPwdForm(request.POST) + cof_form = CofRestrictForm(request.POST, + instance=account.cofprofile) + user_form = UserRestrictTeamForm(request.POST, + instance=account.user) + group_form = UserGroupForm(request.POST, instance=account.user) + pwd_form = AccountPwdForm(request.POST) if hasattr(account, 'negative'): - negative_form = AccountNegativeForm(request.POST, instance=account.negative) + negative_form = AccountNegativeForm(request.POST, + instance=account.negative) if (request.user.has_perm('kfet.change_account') and account_form.is_valid() and cof_form.is_valid() @@ -399,16 +415,16 @@ def account_update(request, trigramme): put_cleaned_data_in_dict(data, cof_form) # Updating - account_form.save(data = data) + account_form.save(data=data) # Checking perm to update password - if ((request.user.has_perm('kfet.change_account_password') - or request.user = account.user) + if (request.user.has_perm('kfet.change_account_password') and pwd_form.is_valid()): pwd = pwd_form.cleaned_data['pwd1'] - pwd_sha256 = hashlib.sha256(pwd.encode('utf-8')).hexdigest() + pwd_sha256 = hashlib.sha256(pwd.encode('utf-8'))\ + .hexdigest() Account.objects.filter(pk=account.pk).update( - password = pwd_sha256) + password=pwd_sha256) messages.success(request, 'Mot de passe mis à jour') # Checking perm to manage perms @@ -422,21 +438,26 @@ def account_update(request, trigramme): if account.negative.balance_offset: balance_offset_old = account.negative.balance_offset if (hasattr(account, 'negative') - and request.user.has_perm('kfet.change_accountnegative') + and request.user.has_perm('kfet.change_accountnegative') and negative_form.is_valid()): - balance_offset_new = negative_form.cleaned_data['balance_offset'] + balance_offset_new = \ + negative_form.cleaned_data['balance_offset'] if not balance_offset_new: balance_offset_new = 0 - balance_offset_diff = balance_offset_new - balance_offset_old + balance_offset_diff = (balance_offset_new + - balance_offset_old) Account.objects.filter(pk=account.pk).update( - balance = F('balance') + balance_offset_diff) + balance=F('balance') + balance_offset_diff) negative_form.save() - if not balance_offset_new and Account.objects.get(pk=account.pk).balance >= 0: + if Account.objects.get(pk=account.pk).balance >= 0 \ + and not balance_offset_new: AccountNegative.objects.get(account=account).delete() success = True - messages.success(request, - 'Informations du compte %s mises à jour' % account.trigramme) + messages.success( + request, + 'Informations du compte %s mises à jour' + % account.trigramme) if request.user == account.user: missing_perm = False @@ -448,23 +469,25 @@ def account_update(request, trigramme): user_form.save() account_form.save() success = True - messages.success(request, 'Vos informations ont été mises à jour') + messages.success(request, + 'Vos informations ont été mises à jour') if missing_perm: messages.error(request, 'Permission refusée') if success: return redirect('kfet.account.read', account.trigramme) else: - messages.error(request, 'Informations non mises à jour. Corrigez les erreurs') + messages.error( + request, 'Informations non mises à jour. Corrigez les erreurs') return render(request, "kfet/account_update.html", { - 'account' : account, - 'account_form' : account_form, - 'cof_form' : cof_form, - 'user_form' : user_form, - 'group_form' : group_form, + 'account': account, + 'account_form': account_form, + 'cof_form': cof_form, + 'user_form': user_form, + 'group_form': group_form, 'negative_form': negative_form, - 'pwd_form' : pwd_form, + 'pwd_form': pwd_form, }) @permission_required('kfet.manage_perms') From fcf76b4af87794ddf33f07d5e65be45604761cf5 Mon Sep 17 00:00:00 2001 From: Ludovic Stephan Date: Sat, 7 Jan 2017 13:32:05 -0200 Subject: [PATCH 3/7] can change own password (actually working now) --- kfet/views.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/kfet/views.py b/kfet/views.py index d0319c7f..c0f90034 100644 --- a/kfet/views.py +++ b/kfet/views.py @@ -464,6 +464,7 @@ def account_update(request, trigramme): account.refresh_from_db() user_form = UserRestrictForm(request.POST, instance=account.user) account_form = AccountRestrictForm(request.POST, instance=account) + pwd_form = AccountPwdForm(request.POST) if user_form.is_valid() and account_form.is_valid(): user_form.save() @@ -472,6 +473,15 @@ def account_update(request, trigramme): messages.success(request, 'Vos informations ont été mises à jour') + if pwd_form.is_valid(): + pwd = pwd_form.cleaned_data['pwd1'] + pwd_sha256 = hashlib.sha256(pwd.encode('utf-8'))\ + .hexdigest() + Account.objects.filter(pk=account.pk).update( + password=pwd_sha256) + messages.success( + request, 'Votre mot de passe a été mis à jour') + if missing_perm: messages.error(request, 'Permission refusée') if success: From 7dc7d57a5eabf8d9e1ba9c441afe824292e2c4a8 Mon Sep 17 00:00:00 2001 From: Ludovic Stephan Date: Sat, 7 Jan 2017 13:57:54 -0200 Subject: [PATCH 4/7] restrict to team even if malicious POST edit --- kfet/views.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kfet/views.py b/kfet/views.py index c0f90034..0a8771d7 100644 --- a/kfet/views.py +++ b/kfet/views.py @@ -473,7 +473,8 @@ def account_update(request, trigramme): messages.success(request, 'Vos informations ont été mises à jour') - if pwd_form.is_valid(): + if request.user.has_perm('kfet.is_team') \ + and pwd_form.is_valid(): pwd = pwd_form.cleaned_data['pwd1'] pwd_sha256 = hashlib.sha256(pwd.encode('utf-8'))\ .hexdigest() From 6315ddf6b8e3c048f1b62a78c08a80d56f856440 Mon Sep 17 00:00:00 2001 From: Ludovic Stephan Date: Tue, 10 Jan 2017 12:58:35 -0200 Subject: [PATCH 5/7] move pwd change to method Signed-off-by: Ludovic Stephan --- kfet/models.py | 7 +++++++ kfet/views.py | 11 +++-------- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/kfet/models.py b/kfet/models.py index 419cd0a0..bf47356c 100644 --- a/kfet/models.py +++ b/kfet/models.py @@ -154,6 +154,7 @@ class Account(models.Model): # - Enregistre User, CofProfile à partir de "data" # - Enregistre Account def save(self, data = {}, *args, **kwargs): + if self.pk and data: # Account update @@ -200,6 +201,12 @@ class Account(models.Model): self.cofprofile = cof super(Account, self).save(*args, **kwargs) + def change_pwd(self, pwd): + pwd_sha256 = hashlib.sha256(pwd.encode('utf-8'))\ + .hexdigest() + self.password = pwd_sha256 + self.save() + # Surcharge de delete # Pas de suppression possible # Cas à régler plus tard diff --git a/kfet/views.py b/kfet/views.py index 0a8771d7..0f706085 100644 --- a/kfet/views.py +++ b/kfet/views.py @@ -421,10 +421,7 @@ def account_update(request, trigramme): if (request.user.has_perm('kfet.change_account_password') and pwd_form.is_valid()): pwd = pwd_form.cleaned_data['pwd1'] - pwd_sha256 = hashlib.sha256(pwd.encode('utf-8'))\ - .hexdigest() - Account.objects.filter(pk=account.pk).update( - password=pwd_sha256) + account.change_pwd(pwd) messages.success(request, 'Mot de passe mis à jour') # Checking perm to manage perms @@ -459,6 +456,7 @@ def account_update(request, trigramme): 'Informations du compte %s mises à jour' % account.trigramme) + # Modification de ses propres informations if request.user == account.user: missing_perm = False account.refresh_from_db() @@ -476,10 +474,7 @@ def account_update(request, trigramme): if request.user.has_perm('kfet.is_team') \ and pwd_form.is_valid(): pwd = pwd_form.cleaned_data['pwd1'] - pwd_sha256 = hashlib.sha256(pwd.encode('utf-8'))\ - .hexdigest() - Account.objects.filter(pk=account.pk).update( - password=pwd_sha256) + account.change_pwd(pwd) messages.success( request, 'Votre mot de passe a été mis à jour') From fabd0949e2f08e2b36e2244133a0a63682448e11 Mon Sep 17 00:00:00 2001 From: Ludovic Stephan Date: Tue, 10 Jan 2017 15:15:53 -0200 Subject: [PATCH 6/7] correct imports Signed-off-by: Ludovic Stephan --- kfet/models.py | 1 + kfet/views.py | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/kfet/models.py b/kfet/models.py index bf47356c..80ee1441 100644 --- a/kfet/models.py +++ b/kfet/models.py @@ -18,6 +18,7 @@ from django.db.models import F from django.core.cache import cache from datetime import date, timedelta import re +import hashlib def choices_length(choices): return reduce(lambda m, choice: max(m, len(choice[0])), choices, 0) diff --git a/kfet/views.py b/kfet/views.py index 0f706085..52386ca9 100644 --- a/kfet/views.py +++ b/kfet/views.py @@ -41,7 +41,6 @@ from kfet import consumers from datetime import timedelta from decimal import Decimal import django_cas_ng -import hashlib import heapq import statistics From 46e9e82da8e0093b643eeeaff1319001a45ea6e9 Mon Sep 17 00:00:00 2001 From: Ludovic Stephan Date: Mon, 13 Feb 2017 12:19:47 -0200 Subject: [PATCH 7/7] move account save --- kfet/models.py | 1 - kfet/views.py | 6 ++++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/kfet/models.py b/kfet/models.py index 80ee1441..035d45f6 100644 --- a/kfet/models.py +++ b/kfet/models.py @@ -206,7 +206,6 @@ class Account(models.Model): pwd_sha256 = hashlib.sha256(pwd.encode('utf-8'))\ .hexdigest() self.password = pwd_sha256 - self.save() # Surcharge de delete # Pas de suppression possible diff --git a/kfet/views.py b/kfet/views.py index 52386ca9..44d2a991 100644 --- a/kfet/views.py +++ b/kfet/views.py @@ -396,12 +396,12 @@ def account_update(request, trigramme): account_form = AccountForm(request.POST, instance=account) cof_form = CofRestrictForm(request.POST, instance=account.cofprofile) - user_form = UserRestrictTeamForm(request.POST, + user_form = UserRestrictTeamForm(request.POST, instance=account.user) group_form = UserGroupForm(request.POST, instance=account.user) pwd_form = AccountPwdForm(request.POST) if hasattr(account, 'negative'): - negative_form = AccountNegativeForm(request.POST, + negative_form = AccountNegativeForm(request.POST, instance=account.negative) if (request.user.has_perm('kfet.change_account') @@ -421,6 +421,7 @@ def account_update(request, trigramme): and pwd_form.is_valid()): pwd = pwd_form.cleaned_data['pwd1'] account.change_pwd(pwd) + account.save() messages.success(request, 'Mot de passe mis à jour') # Checking perm to manage perms @@ -474,6 +475,7 @@ def account_update(request, trigramme): and pwd_form.is_valid(): pwd = pwd_form.cleaned_data['pwd1'] account.change_pwd(pwd) + account.save() messages.success( request, 'Votre mot de passe a été mis à jour')