Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Raise PermissionDenied if anon user tries to access create_password #4371

Merged
merged 3 commits into from
Feb 3, 2025
Merged

Raise PermissionDenied if anon user tries to access create_password #4371

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9fdf991
Add some missing user string translations. Update locale. Remove Tami…
frjo Feb 3, 2025
0f109ed
Raise PermissionDenied if anon user tries to access create_password.
frjo Feb 3, 2025
8adcb7b
Update locale files.
frjo Feb 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 14 additions & 6 deletions hypha/apply/users/views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -207,7 +207,7 @@ def account_email_change(request):

# alert email
request.user.email_user(
subject="Alert! An attempt to update your email.",
subject=_("Alert! An attempt to update your email."),
message=render_to_string(
"users/email_change/update_info_email.html",
{
Expand Down Expand Up @@ -265,7 +265,10 @@ def get(self, request, *args, **kwargs):
user.email = email
user.save()
messages.success(
request, _(f"Your email has been successfully updated to {email}!")
request,
_("Your email has been successfully updated to {email}!").format(
email=email
),
)
return redirect("users:account")

Expand Down Expand Up @@ -339,18 +342,21 @@ def create_password(request):
"""
redirect_url = get_redirect_url(request, redirect_field="next")

if request.user.is_anonymous:
raise PermissionDenied()

if request.method == "POST":
form = AdminPasswordChangeForm(request.user, request.POST)

if form.is_valid():
user = form.save()
update_session_auth_hash(request, user) # Important!
messages.success(request, "Your password was successfully updated!")
messages.success(request, _("Your password was successfully updated!"))
if redirect_url:
return redirect(redirect_url)
return redirect("users:account")
else:
messages.error(request, "Please correct the errors below.")
messages.error(request, _("Please correct the errors below."))
else:
form = AdminPasswordChangeForm(request.user)

Expand Down Expand Up @@ -731,7 +737,9 @@ def send_confirm_access_email_view(request):
"user": request.user,
"timeout_minutes": settings.PASSWORDLESS_LOGIN_TIMEOUT // 60,
}
subject = "Confirmation code for {org_long_name}: {token}".format(**email_context)
subject = _("Confirmation code for {org_long_name}: {token}").format(
**email_context
)
email = MarkdownMail("users/emails/confirm_access.md")
email.send(
to=request.user.email,
Expand Down Expand Up @@ -790,7 +798,7 @@ def set_password_view(request):
email_template="users/emails/set_password.txt",
email_subject_template="users/emails/set_password_subject.txt",
)
return HttpResponse("✓ Check your email for password set link.")
return HttpResponse(_("✓ Check your email for password set link."))


@never_cache
Expand Down
Loading
Loading