SP/web2py/gluon/authapi.py

1058 lines
44 KiB
Python
Raw Permalink Normal View History

2018-10-25 15:33:07 +00:00
# -*- coding: utf-8 -*-
"""
| This file is part of the web2py Web Framework
| Copyrighted by Massimo Di Pierro <mdipierro@cs.depaul.edu>
| License: LGPLv3 (http://www.gnu.org/licenses/lgpl.html)
"""
from gluon._compat import long
from gluon import current
from gluon.storage import Messages, Settings, Storage
from gluon.utils import web2py_uuid
from gluon.validators import CRYPT, IS_EMAIL, IS_EQUAL_TO, IS_INT_IN_RANGE, IS_LOWER, IS_MATCH, IS_NOT_EMPTY, \
IS_NOT_IN_DB
from pydal.objects import Table, Field, Row
import datetime
from gluon.settings import global_settings
DEFAULT = lambda: None
class AuthAPI(object):
"""
AuthAPI is a barebones Auth implementation which does not have a concept of
HTML forms or redirects, emailing or even an URL, you are responsible for
all that if you use it.
The main Auth functions such as login, logout, register, profile are designed
in a Dict In -> Dict Out logic so, for instance, if you set
registration_requires_verification you are responsible for sending the key to
the user and even rolling back the transaction if you can't do it.
NOTES: * It does not support all the callbacks Traditional Auth does yet.
Some of the callbacks will not be supported.
Check the method signatures to find out which ones are supported.
* register_fields and profile_fields settings are ignored for now.
WARNING: No builtin CSRF protection whatsoever.
"""
default_settings = {
'create_user_groups': 'user_%(id)s',
'email_case_sensitive': False,
'everybody_group_id': None,
'expiration': 3600,
'keep_session_onlogin': True,
'keep_session_onlogout': False,
'logging_enabled': True,
'login_after_registration': False,
'login_email_validate': True,
'login_userfield': None,
'logout_onlogout': None,
'long_expiration': 3600 * 24 * 30,
'ondelete': 'CASCADE',
'password_field': 'password',
'password_min_length': 4,
'registration_requires_approval': False,
'registration_requires_verification': False,
'renew_session_onlogin': True,
'renew_session_onlogout': True,
'table_event_name': 'auth_event',
'table_group_name': 'auth_group',
'table_membership_name': 'auth_membership',
'table_permission_name': 'auth_permission',
'table_user_name': 'auth_user',
'use_username': False,
'username_case_sensitive': True
}
default_messages = {
'add_group_log': 'Group %(group_id)s created',
'add_membership_log': None,
'add_permission_log': None,
'change_password_log': 'User %(id)s Password changed',
'del_group_log': 'Group %(group_id)s deleted',
'del_membership_log': None,
'del_permission_log': None,
'email_taken': 'This email already has an account',
'group_description': 'Group uniquely assigned to user %(id)s',
'has_membership_log': None,
'has_permission_log': None,
'invalid_email': 'Invalid email',
'key_verified': 'Key verified',
'invalid_login': 'Invalid login',
'invalid_password': 'Invalid password',
'invalid_user': 'Invalid user',
'invalid_key': 'Invalid key',
'invalid_username': 'Invalid username',
'logged_in': 'Logged in',
'logged_out': 'Logged out',
'login_failed_log': None,
'login_log': 'User %(id)s Logged-in',
'logout_log': 'User %(id)s Logged-out',
'mismatched_password': "Password fields don't match",
'password_changed': 'Password changed',
'profile_log': 'User %(id)s Profile updated',
'profile_updated': 'Profile updated',
'register_log': 'User %(id)s Registered',
'registration_pending': 'Registration is pending approval',
'registration_successful': 'Registration successful',
'registration_verifying': 'Registration needs verification',
'username_taken': 'Username already taken',
'verify_log': 'User %(id)s verified registration key'
}
def __init__(self, db=None, hmac_key=None, signature=True):
self.db = db
session = current.session
auth = session.auth
self.user_groups = auth and auth.user_groups or {}
now = current.request.now
# if we have auth info
# if not expired it, used it
# if expired, clear the session
# else, only clear auth info in the session
if auth:
delta = datetime.timedelta(days=0, seconds=auth.expiration)
if auth.last_visit and auth.last_visit + delta > now:
self.user = auth.user
# this is a trick to speed up sessions to avoid many writes
if (now - auth.last_visit).seconds > (auth.expiration // 10):
auth.last_visit = now
else:
self.user = None
if session.auth:
del session.auth
session.renew(clear_session=True)
else:
self.user = None
if session.auth:
del session.auth
settings = self.settings = Settings(self.__class__.default_settings)
settings.update(
extra_fields={},
hmac_key=hmac_key,
)
settings.lock_keys = True
messages = self.messages = Messages(current.T)
messages.update(self.default_messages)
messages.lock_keys = True
if signature is True:
self.define_signature()
else:
self.signature = signature or None
def __validate(self, value, requires):
if not isinstance(requires, (list, tuple)):
requires = [requires]
for validator in requires:
(value, error) = validator(value)
if error:
return (value, error)
return (value, None)
def _get_migrate(self, tablename, migrate=True):
if type(migrate).__name__ == 'str':
return (migrate + tablename + '.table')
elif not migrate:
return False
else:
return True
def _get_user_id(self):
"""accessor for auth.user_id"""
return self.user and self.user.id or None
user_id = property(_get_user_id, doc="user.id or None")
def table_user(self):
return self.db[self.settings.table_user_name]
def table_group(self):
return self.db[self.settings.table_group_name]
def table_membership(self):
return self.db[self.settings.table_membership_name]
def table_permission(self):
return self.db[self.settings.table_permission_name]
def table_event(self):
return self.db[self.settings.table_event_name]
def define_signature(self):
db = self.db
settings = self.settings
request = current.request
T = current.T
reference_user = 'reference %s' % settings.table_user_name
def lazy_user(auth=self):
return auth.user_id
def represent(id, record=None, s=settings):
try:
user = s.table_user(id)
return '%s %s' % (user.get("first_name", user.get("email")),
user.get("last_name", ''))
except:
return id
ondelete = self.settings.ondelete
self.signature = Table(
self.db, 'auth_signature',
Field('is_active', 'boolean',
default=True,
readable=False, writable=False,
label=T('Is Active')),
Field('created_on', 'datetime',
default=request.now,
writable=False, readable=False,
label=T('Created On')),
Field('created_by',
reference_user,
default=lazy_user, represent=represent,
writable=False, readable=False,
label=T('Created By'), ondelete=ondelete),
Field('modified_on', 'datetime',
update=request.now, default=request.now,
writable=False, readable=False,
label=T('Modified On')),
Field('modified_by',
reference_user, represent=represent,
default=lazy_user, update=lazy_user,
writable=False, readable=False,
label=T('Modified By'), ondelete=ondelete))
def define_tables(self, username=None, signature=None, migrate=None,
fake_migrate=None):
"""
To be called unless tables are defined manually
Examples:
Use as::
# defines all needed tables and table files
# 'myprefix_auth_user.table', ...
auth.define_tables(migrate='myprefix_')
# defines all needed tables without migration/table files
auth.define_tables(migrate=False)
"""
db = self.db
if migrate is None:
migrate = db._migrate
if fake_migrate is None:
fake_migrate = db._fake_migrate
settings = self.settings
if username is None:
username = settings.use_username
else:
settings.use_username = username
if not self.signature:
self.define_signature()
if signature is True:
signature_list = [self.signature]
elif not signature:
signature_list = []
elif isinstance(signature, Table):
signature_list = [signature]
else:
signature_list = signature
self._table_signature_list = signature_list # Should it defined in __init__ first??
is_not_empty = IS_NOT_EMPTY(error_message=self.messages.is_empty)
is_crypted = CRYPT(key=settings.hmac_key,
min_length=settings.password_min_length)
is_unique_email = [
IS_EMAIL(error_message=self.messages.invalid_email),
IS_NOT_IN_DB(db, '%s.email' % settings.table_user_name,
error_message=self.messages.email_taken)]
if not settings.email_case_sensitive:
is_unique_email.insert(1, IS_LOWER())
if settings.table_user_name not in db.tables:
passfield = settings.password_field
extra_fields = settings.extra_fields.get(
settings.table_user_name, []) + signature_list
# cas_provider Will always be None here but we compare it anyway so subclasses can use our define_tables
if username or settings.cas_provider:
is_unique_username = \
[IS_MATCH('[\w\.\-]+', strict=True,
error_message=self.messages.invalid_username),
IS_NOT_IN_DB(db, '%s.username' % settings.table_user_name,
error_message=self.messages.username_taken)]
if not settings.username_case_sensitive:
is_unique_username.insert(1, IS_LOWER())
db.define_table(
settings.table_user_name,
Field('first_name', length=128, default='',
label=self.messages.label_first_name,
requires=is_not_empty),
Field('last_name', length=128, default='',
label=self.messages.label_last_name,
requires=is_not_empty),
Field('email', length=512, default='',
label=self.messages.label_email,
requires=is_unique_email),
Field('username', length=128, default='',
label=self.messages.label_username,
requires=is_unique_username),
Field(passfield, 'password', length=512,
readable=False, label=self.messages.label_password,
requires=[is_crypted]),
Field('registration_key', length=512,
writable=False, readable=False, default='',
label=self.messages.label_registration_key),
Field('reset_password_key', length=512,
writable=False, readable=False, default='',
label=self.messages.label_reset_password_key),
Field('registration_id', length=512,
writable=False, readable=False, default='',
label=self.messages.label_registration_id),
*extra_fields,
**dict(
migrate=self._get_migrate(settings.table_user_name,
migrate),
fake_migrate=fake_migrate,
format='%(username)s'))
else:
db.define_table(
settings.table_user_name,
Field('first_name', length=128, default='',
label=self.messages.label_first_name,
requires=is_not_empty),
Field('last_name', length=128, default='',
label=self.messages.label_last_name,
requires=is_not_empty),
Field('email', length=512, default='',
label=self.messages.label_email,
requires=is_unique_email),
Field(passfield, 'password', length=512,
readable=False, label=self.messages.label_password,
requires=[is_crypted]),
Field('registration_key', length=512,
writable=False, readable=False, default='',
label=self.messages.label_registration_key),
Field('reset_password_key', length=512,
writable=False, readable=False, default='',
label=self.messages.label_reset_password_key),
Field('registration_id', length=512,
writable=False, readable=False, default='',
label=self.messages.label_registration_id),
*extra_fields,
**dict(
migrate=self._get_migrate(settings.table_user_name,
migrate),
fake_migrate=fake_migrate,
format='%(first_name)s %(last_name)s (%(id)s)'))
reference_table_user = 'reference %s' % settings.table_user_name
if settings.table_group_name not in db.tables:
extra_fields = settings.extra_fields.get(
settings.table_group_name, []) + signature_list
db.define_table(
settings.table_group_name,
Field('role', length=512, default='',
label=self.messages.label_role,
requires=IS_NOT_IN_DB(db, '%s.role' % settings.table_group_name)),
Field('description', 'text',
label=self.messages.label_description),
*extra_fields,
**dict(
migrate=self._get_migrate(
settings.table_group_name, migrate),
fake_migrate=fake_migrate,
format='%(role)s (%(id)s)'))
reference_table_group = 'reference %s' % settings.table_group_name
if settings.table_membership_name not in db.tables:
extra_fields = settings.extra_fields.get(
settings.table_membership_name, []) + signature_list
db.define_table(
settings.table_membership_name,
Field('user_id', reference_table_user,
label=self.messages.label_user_id),
Field('group_id', reference_table_group,
label=self.messages.label_group_id),
*extra_fields,
**dict(
migrate=self._get_migrate(
settings.table_membership_name, migrate),
fake_migrate=fake_migrate))
if settings.table_permission_name not in db.tables:
extra_fields = settings.extra_fields.get(
settings.table_permission_name, []) + signature_list
db.define_table(
settings.table_permission_name,
Field('group_id', reference_table_group,
label=self.messages.label_group_id),
Field('name', default='default', length=512,
label=self.messages.label_name,
requires=is_not_empty),
Field('table_name', length=512,
label=self.messages.label_table_name),
Field('record_id', 'integer', default=0,
label=self.messages.label_record_id,
requires=IS_INT_IN_RANGE(0, 10 ** 9)),
*extra_fields,
**dict(
migrate=self._get_migrate(
settings.table_permission_name, migrate),
fake_migrate=fake_migrate))
if settings.table_event_name not in db.tables:
db.define_table(
settings.table_event_name,
Field('time_stamp', 'datetime',
default=current.request.now,
label=self.messages.label_time_stamp),
Field('client_ip',
default=current.request.client,
label=self.messages.label_client_ip),
Field('user_id', reference_table_user, default=None,
label=self.messages.label_user_id),
Field('origin', default='auth', length=512,
label=self.messages.label_origin,
requires=is_not_empty),
Field('description', 'text', default='',
label=self.messages.label_description,
requires=is_not_empty),
*settings.extra_fields.get(settings.table_event_name, []),
**dict(
migrate=self._get_migrate(
settings.table_event_name, migrate),
fake_migrate=fake_migrate))
return self
def log_event(self, description, vars=None, origin='auth'):
"""
Examples:
Use as::
auth.log_event(description='this happened', origin='auth')
"""
if not self.settings.logging_enabled or not description:
return
elif self.is_logged_in():
user_id = self.user.id
else:
user_id = None # user unknown
vars = vars or {}
# log messages should not be translated
if type(description).__name__ == 'lazyT':
description = description.m
if not user_id or self.table_user()[user_id]:
self.table_event().insert(
description=str(description % vars), origin=origin, user_id=user_id)
def id_group(self, role):
"""
Returns the group_id of the group specified by the role
"""
rows = self.db(self.table_group().role == role).select()
if not rows:
return None
return rows[0].id
def user_group(self, user_id=None):
"""
Returns the group_id of the group uniquely associated to this user
i.e. `role=user:[user_id]`
"""
return self.id_group(self.user_group_role(user_id))
def user_group_role(self, user_id=None):
if not self.settings.create_user_groups:
return None
if user_id:
user = self.table_user()[user_id]
else:
user = self.user
return self.settings.create_user_groups % user
def add_group(self, role, description=''):
"""
Creates a group associated to a role
"""
group_id = self.table_group().insert(role=role, description=description)
self.log_event(self.messages['add_group_log'], dict(group_id=group_id, role=role))
return group_id
def del_group(self, group_id):
"""
Deletes a group
"""
self.db(self.table_group().id == group_id).delete()
self.db(self.table_membership().group_id == group_id).delete()
self.db(self.table_permission().group_id == group_id).delete()
if group_id in self.user_groups:
del self.user_groups[group_id]
self.log_event(self.messages.del_group_log, dict(group_id=group_id))
def update_groups(self):
if not self.user:
return
user_groups = self.user_groups = {}
if current.session.auth:
current.session.auth.user_groups = self.user_groups
table_group = self.table_group()
table_membership = self.table_membership()
memberships = self.db(
table_membership.user_id == self.user.id).select()
for membership in memberships:
group = table_group(membership.group_id)
if group:
user_groups[membership.group_id] = group.role
def add_membership(self, group_id=None, user_id=None, role=None):
"""
Gives user_id membership of group_id or role
if user is None than user_id is that of current logged in user
"""
group_id = group_id or self.id_group(role)
try:
group_id = int(group_id)
except:
group_id = self.id_group(group_id) # interpret group_id as a role
if not user_id and self.user:
user_id = self.user.id
if not group_id:
raise ValueError('group_id not provided or invalid')
if not user_id:
raise ValueError('user_id not provided or invalid')
membership = self.table_membership()
db = membership._db
record = db((membership.user_id == user_id) &
(membership.group_id == group_id),
ignore_common_filters=True).select().first()
if record:
if hasattr(record, 'is_active') and not record.is_active:
record.update_record(is_active=True)
return record.id
else:
id = membership.insert(group_id=group_id, user_id=user_id)
if role and user_id == self.user_id:
self.user_groups[group_id] = role
else:
self.update_groups()
self.log_event(self.messages['add_membership_log'],
dict(user_id=user_id, group_id=group_id))
return id
def del_membership(self, group_id=None, user_id=None, role=None):
"""
Revokes membership from group_id to user_id
if user_id is None than user_id is that of current logged in user
"""
group_id = group_id or self.id_group(role)
try:
group_id = int(group_id)
except:
group_id = self.id_group(group_id) # interpret group_id as a role
if not user_id and self.user:
user_id = self.user.id
membership = self.table_membership()
self.log_event(self.messages['del_membership_log'],
dict(user_id=user_id, group_id=group_id))
ret = self.db(membership.user_id == user_id)(membership.group_id == group_id).delete()
if group_id in self.user_groups and user_id == self.user_id:
del self.user_groups[group_id]
return ret
def has_membership(self, group_id=None, user_id=None, role=None, cached=False):
"""
Checks if user is member of group_id or role
NOTE: To avoid database query at each page load that use auth.has_membership, someone can use cached=True.
If cached is set to True has_membership() check group_id or role only against auth.user_groups variable
which is populated properly only at login time. This means that if an user membership change during a
given session the user has to log off and log in again in order to auth.user_groups to be properly
recreated and reflecting the user membership modification. There is one exception to this log off and
log in process which is in case that the user change his own membership, in this case auth.user_groups
can be properly update for the actual connected user because web2py has access to the proper session
user_groups variable. To make use of this exception someone has to place an "auth.update_groups()"
instruction in his app code to force auth.user_groups to be updated. As mention this will only work if it
the user itself that change it membership not if another user, let say an administrator, change someone
else's membership.
"""
if not user_id and self.user:
user_id = self.user.id
if cached:
id_role = group_id or role
r = (user_id and id_role in self.user_groups.values()) or (user_id and id_role in self.user_groups)
else:
group_id = group_id or self.id_group(role)
try:
group_id = int(group_id)
except:
group_id = self.id_group(group_id) # interpret group_id as a role
membership = self.table_membership()
if group_id and user_id and self.db((membership.user_id == user_id) &
(membership.group_id == group_id)).select():
r = True
else:
r = False
self.log_event(self.messages['has_membership_log'],
dict(user_id=user_id, group_id=group_id, check=r))
return r
def add_permission(self,
group_id,
name='any',
table_name='',
record_id=0,
):
"""
Gives group_id 'name' access to 'table_name' and 'record_id'
"""
permission = self.table_permission()
if group_id == 0:
group_id = self.user_group()
record = self.db((permission.group_id == group_id) &
(permission.name == name) &
(permission.table_name == str(table_name)) &
(permission.record_id == long(record_id)),
ignore_common_filters=True
).select(limitby=(0, 1), orderby_on_limitby=False).first()
if record:
if hasattr(record, 'is_active') and not record.is_active:
record.update_record(is_active=True)
id = record.id
else:
id = permission.insert(group_id=group_id, name=name,
table_name=str(table_name),
record_id=long(record_id))
self.log_event(self.messages['add_permission_log'],
dict(permission_id=id, group_id=group_id,
name=name, table_name=table_name,
record_id=record_id))
return id
def del_permission(self,
group_id,
name='any',
table_name='',
record_id=0,
):
"""
Revokes group_id 'name' access to 'table_name' and 'record_id'
"""
permission = self.table_permission()
self.log_event(self.messages['del_permission_log'],
dict(group_id=group_id, name=name,
table_name=table_name, record_id=record_id))
return self.db(permission.group_id ==
group_id)(permission.name ==
name)(permission.table_name ==
str(table_name))(permission.record_id ==
long(record_id)).delete()
def has_permission(self,
name='any',
table_name='',
record_id=0,
user_id=None,
group_id=None,
):
"""
Checks if user_id or current logged in user is member of a group
that has 'name' permission on 'table_name' and 'record_id'
if group_id is passed, it checks whether the group has the permission
"""
if not group_id and self.settings.everybody_group_id and \
self.has_permission(name, table_name, record_id, user_id=None,
group_id=self.settings.everybody_group_id):
return True
if not user_id and not group_id and self.user:
user_id = self.user.id
if user_id:
membership = self.table_membership()
rows = self.db(membership.user_id == user_id).select(membership.group_id)
groups = set([row.group_id for row in rows])
if group_id and group_id not in groups:
return False
else:
groups = set([group_id])
permission = self.table_permission()
rows = self.db(permission.name ==
name)(permission.table_name ==
str(table_name))(permission.record_id ==
record_id).select(permission.group_id)
groups_required = set([row.group_id for row in rows])
if record_id:
rows = self.db(permission.name ==
name)(permission.table_name ==
str(table_name))(permission.record_id ==
0).select(permission.group_id)
groups_required = groups_required.union(set([row.group_id for row in rows]))
if groups.intersection(groups_required):
r = True
else:
r = False
if user_id:
self.log_event(self.messages['has_permission_log'],
dict(user_id=user_id, name=name,
table_name=table_name, record_id=record_id))
return r
def is_logged_in(self):
"""
Checks if the user is logged in and returns True/False.
If so user is in auth.user as well as in session.auth.user
"""
if self.user:
return True
return False
def _update_session_user(self, user):
if global_settings.web2py_runtime_gae:
user = Row(self.table_user()._filter_fields(user, id=True))
delattr(user, self.settings.password_field)
else:
user = Row(user)
for key in list(user.keys()):
value = user[key]
if callable(value) or key == self.settings.password_field:
delattr(user, key)
current.session.auth = Storage(user=user,
last_visit=current.request.now,
expiration=self.settings.expiration,
hmac_key=web2py_uuid())
return user
def login_user(self, user):
"""
Logins the `user = db.auth_user(id)`
"""
user = self._update_session_user(user)
if self.settings.renew_session_onlogin:
current.session.renew(clear_session=not self.settings.keep_session_onlogin)
self.user = user
self.update_groups()
def login(self, log=DEFAULT, **kwargs):
"""
Login a user
Keyword Args:
username/email/name_of_your_username_field (string) - username
password/name_of_your_passfield (string) - user's password
remember_me (boolean) - extend the duration of the login to settings.long_expiration
"""
settings = self.settings
session = current.session
table_user = self.table_user()
if 'username' in table_user.fields or \
not settings.login_email_validate:
userfield_validator = IS_NOT_EMPTY(error_message=self.messages.is_empty)
if not settings.username_case_sensitive:
userfield_validator = [IS_LOWER(), userfield_validator]
else:
userfield_validator = IS_EMAIL(error_message=self.messages.invalid_email)
if not settings.email_case_sensitive:
userfield_validator = [IS_LOWER(), userfield_validator]
passfield = settings.password_field
if log is DEFAULT:
log = self.messages['login_log']
user = None
# Setup the default field used for the userfield
if self.settings.login_userfield:
userfield = self.settings.login_userfield
else:
if 'username' in table_user.fields:
userfield = 'username'
else:
userfield = 'email'
# Get the userfield from kwargs and validate it
userfield_value = kwargs.get(userfield)
if userfield_value is None:
raise KeyError('%s not found in kwargs' % userfield)
validated, error = self.__validate(userfield_value, userfield_validator)
if error:
return {'errors': {userfield: error}, 'message': self.messages.invalid_login, 'user': None}
# Get the user for this userfield and check it
user = table_user(**{userfield: validated})
if user is None:
return {'errors': {userfield: self.messages.invalid_user},
'message': self.messages.invalid_login, 'user': None}
if (user.registration_key or '').startswith('pending'):
return {'errors': None, 'message': self.messages.registration_pending, 'user': None}
elif user.registration_key in ('disabled', 'blocked'):
return {'errors': None, 'message': self.messages.login_disabled, 'user': None}
elif (user.registration_key is not None and user.registration_key.strip()):
return {'errors': None, 'message': self.messages.registration_verifying, 'user': None}
# Finally verify the password
passfield = settings.password_field
password = table_user[passfield].validate(kwargs.get(passfield, ''))[0]
if password == user[passfield]:
self.login_user(user)
session.auth.expiration = \
kwargs.get('remember_me', False) and \
settings.long_expiration or \
settings.expiration
session.auth.remember_me = kwargs.get('remember_me', False)
self.log_event(log, user)
return {'errors': None, 'message': self.messages.logged_in,
'user': {k: user[k] for k in table_user.fields if table_user[k].readable}}
else:
self.log_event(self.messages['login_failed_log'], kwargs)
return {'errors': {passfield: self.messages.invalid_password},
'message': self.messages.invalid_login, 'user': None}
def logout(self, log=DEFAULT, onlogout=DEFAULT, **kwargs):
"""
Logs out user
"""
settings = self.settings
session = current.session
if onlogout is DEFAULT:
onlogout = settings.logout_onlogout
if onlogout:
onlogout(self.user)
if log is DEFAULT:
log = self.messages['logout_log']
if self.user:
self.log_event(log, self.user)
session.auth = None
self.user = None
if settings.renew_session_onlogout:
session.renew(clear_session=not settings.keep_session_onlogout)
return {'errors': None, 'message': self.messages.logged_out, 'user': None}
def register(self, log=DEFAULT, **kwargs):
"""
Register a user.
"""
table_user = self.table_user()
settings = self.settings
if self.is_logged_in():
raise AssertionError('User trying to register is logged in')
if log is DEFAULT:
log = self.messages['register_log']
if self.settings.login_userfield:
userfield = self.settings.login_userfield
elif 'username' in table_user.fields:
userfield = 'username'
else:
userfield = 'email'
# Ensure the username field is unique.
unique_validator = IS_NOT_IN_DB(self.db, table_user[userfield])
userfield_validator = table_user[userfield].requires
if userfield_validator is None:
userfield_validator = unique_validator
elif isinstance(userfield_validator, (list, tuple)):
if not any([isinstance(validator, IS_NOT_IN_DB) for validator in
userfield_validator]):
if isinstance(userfield_validator, list):
userfield_validator.append(unique_validator)
else:
userfield_validator += (unique_validator, )
elif not isinstance(userfield_validator, IS_NOT_IN_DB):
userfield_validator = [userfield_validator, unique_validator]
table_user[userfield].requires = userfield_validator
passfield = settings.password_field
try: # Make sure we have our original minimum length
table_user[passfield].requires[-1].min_length = settings.password_min_length
except:
pass
key = web2py_uuid()
if settings.registration_requires_approval:
key = 'pending-' + key
table_user.registration_key.default = key
result = table_user.validate_and_insert(**kwargs)
if result.errors:
return {'errors': result.errors.as_dict(), 'message': None, 'user': None}
user = table_user[result.id]
message = self.messages.registration_successful
if settings.create_user_groups:
d = user.as_dict()
description = self.messages.group_description % d
group_id = self.add_group(settings.create_user_groups % d, description)
self.add_membership(group_id, result.id)
if self.settings.everybody_group_id:
self.add_membership(self.settings.everybody_group_id, result)
if settings.registration_requires_verification:
d = {k: user[k] for k in table_user.fields if table_user[k].readable}
d['key'] = key
if settings.login_after_registration and not settings.registration_requires_approval:
self.login_user(user)
return {'errors': None, 'message': None, 'user': d}
if settings.registration_requires_approval:
user.update_record(registration_key='pending')
message = self.messages.registration_pending
elif settings.login_after_registration:
user.update_record(registration_key='')
self.login_user(user)
message = self.messages.logged_in
self.log_event(log, user)
return {'errors': None, 'message': message,
'user': {k: user[k] for k in table_user.fields if table_user[k].readable}}
def profile(self, log=DEFAULT, **kwargs):
"""
Lets the user change his/her profile
"""
table_user = self.table_user()
settings = self.settings
table_user[settings.password_field].writable = False
if not self.is_logged_in():
raise AssertionError('User is not logged in')
if not kwargs:
user = table_user[self.user.id]
return {'errors': None, 'message': None,
'user': {k: user[k] for k in table_user.fields if table_user[k].readable}}
result = self.db(table_user.id == self.user.id).validate_and_update(**kwargs)
user = table_user[self.user.id]
if result.errors:
return {'errors': result.errors, 'message': None,
'user': {k: user[k] for k in table_user.fields if table_user[k].readable}}
if log is DEFAULT:
log = self.messages['profile_log']
self.log_event(log, user)
self._update_session_user(user)
return {'errors': None, 'message': self.messages.profile_updated,
'user': {k: user[k] for k in table_user.fields if table_user[k].readable}}
def change_password(self, log=DEFAULT, **kwargs):
"""
Lets the user change password
Keyword Args:
old_password (string) - User's current password
new_password (string) - User's new password
new_password2 (string) - Verify the new password
"""
settings = self.settings
messages = self.messages
if not self.is_logged_in():
raise AssertionError('User is not logged in')
db = self.db
table_user = self.table_user()
s = db(table_user.id == self.user.id)
request = current.request
session = current.session
passfield = settings.password_field
requires = table_user[passfield].requires
if not isinstance(requires, (list, tuple)):
requires = [requires]
requires = list(filter(lambda t: isinstance(t, CRYPT), requires))
if requires:
requires[0] = CRYPT(**requires[0].__dict__) # Copy the existing CRYPT attributes
requires[0].min_length = 0 # But do not enforce minimum length for the old password
old_password = kwargs.get('old_password', '')
new_password = kwargs.get('new_password', '')
new_password2 = kwargs.get('new_password2', '')
validator_old = requires
validator_pass2 = IS_EQUAL_TO(new_password, error_message=messages.mismatched_password)
old_password, error_old = self.__validate(old_password, validator_old)
new_password2, error_new2 = self.__validate(new_password2, validator_pass2)
errors = {}
if error_old:
errors['old_password'] = error_old
if error_new2:
errors['new_password2'] = error_new2
if errors:
return {'errors': errors, 'message': None}
current_user = s.select(limitby=(0, 1), orderby_on_limitby=False).first()
if not old_password == current_user[passfield]:
return {'errors': {'old_password': messages.invalid_password}, 'message': None}
else:
d = {passfield: new_password}
resp = s.validate_and_update(**d)
if resp.errors:
return {'errors': {'new_password': resp.errors[passfield]}, 'message': None}
if log is DEFAULT:
log = messages['change_password_log']
self.log_event(log, self.user)
return {'errors': None, 'message': messages.password_changed}
def verify_key(self,
key=None,
ignore_approval=False,
log=DEFAULT,
):
"""
Verify a given registration_key actually exists in the user table.
Resets the key to empty string '' or 'pending' if
setttings.registration_requires_approval is true.
Keyword Args:
key (string) - User's registration key
"""
table_user = self.table_user()
user = table_user(registration_key=key)
if (user is None) or (key is None):
return {'errors': {'key': self.messages.invalid_key}, 'message': self.messages.invalid_key}
if self.settings.registration_requires_approval:
user.update_record(registration_key='pending')
result = {'errors': None, 'message': self.messages.registration_pending}
else:
user.update_record(registration_key='')
result = {'errors': None, 'message': self.messages.key_verified}
# make sure session has same user.registration_key as db record
if current.session.auth and current.session.auth.user:
current.session.auth.user.registration_key = user.registration_key
if log is DEFAULT:
log = self.messages['verify_log']
self.log_event(log, user)
return result