forked from zulip/zulip
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathregistration.py
414 lines (374 loc) · 18.6 KB
/
registration.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
# -*- coding: utf-8 -*-
from __future__ import absolute_import
from typing import Any, List, Dict, Optional, Text
from django.utils.translation import ugettext as _
from django.conf import settings
from django.contrib.auth import authenticate, login, get_backends
from django.core.urlresolvers import reverse
from django.http import HttpResponseRedirect, HttpResponseForbidden, HttpResponse, HttpRequest
from django.shortcuts import redirect, render
from django.template import RequestContext, loader
from django.utils.timezone import now
from django.core.exceptions import ValidationError
from django.core import validators
from django.core.mail import send_mail
from zerver.models import UserProfile, Realm, PreregistrationUser, \
name_changes_disabled, email_to_username, \
completely_open, get_unique_open_realm, email_allowed_for_realm, \
get_realm, get_realm_by_email_domain
from zerver.lib.events import do_events_register
from zerver.lib.actions import do_change_password, do_change_full_name, do_change_is_admin, \
do_activate_user, do_create_user, do_create_realm, set_default_streams, \
user_email_is_unique, \
compute_mit_user_fullname
from zerver.forms import RegistrationForm, HomepageForm, RealmCreationForm, \
CreateUserForm, FindMyTeamForm
from zerver.lib.actions import is_inactive
from django_auth_ldap.backend import LDAPBackend, _LDAPUser
from zerver.decorator import require_post, has_request_variables, \
JsonableError, get_user_profile_by_email, REQ
from zerver.lib.response import json_success
from zerver.lib.utils import get_subdomain
from zproject.backends import password_auth_enabled
from confirmation.models import Confirmation, RealmCreationKey, check_key_is_valid
import logging
import requests
import ujson
from six.moves import urllib
def redirect_and_log_into_subdomain(realm, full_name, email_address):
# type: (Realm, Text, Text) -> HttpResponse
subdomain_login_uri = ''.join([
realm.uri,
reverse('zerver.views.auth.log_into_subdomain')
])
domain = '.' + settings.EXTERNAL_HOST.split(':')[0]
response = redirect(subdomain_login_uri)
data = {'name': full_name, 'email': email_address, 'subdomain': realm.subdomain}
# Creating a singed cookie so that it cannot be tampered with.
# Cookie and the signature expire in 15 seconds.
response.set_signed_cookie('subdomain.signature',
ujson.dumps(data),
expires=15,
domain=domain,
salt='zerver.views.auth')
return response
@require_post
def accounts_register(request):
# type: (HttpRequest) -> HttpResponse
key = request.POST['key']
confirmation = Confirmation.objects.get(confirmation_key=key)
prereg_user = confirmation.content_object
email = prereg_user.email
realm_creation = prereg_user.realm_creation
try:
existing_user_profile = get_user_profile_by_email(email)
except UserProfile.DoesNotExist:
existing_user_profile = None
validators.validate_email(email)
# If OPEN_REALM_CREATION is enabled all user sign ups should go through the
# special URL with domain name so that REALM can be identified if multiple realms exist
unique_open_realm = get_unique_open_realm()
if unique_open_realm is not None:
realm = unique_open_realm
elif prereg_user.referred_by:
# If someone invited you, you are joining their realm regardless
# of your e-mail address.
realm = prereg_user.referred_by.realm
elif prereg_user.realm:
# You have a realm set, even though nobody referred you. This
# happens if you sign up through a special URL for an open realm.
realm = prereg_user.realm
elif realm_creation:
# For creating a new realm, there is no existing realm or domain
realm = None
elif settings.REALMS_HAVE_SUBDOMAINS:
realm = get_realm(get_subdomain(request))
else:
realm = get_realm_by_email_domain(email)
if realm and not email_allowed_for_realm(email, realm):
return render(request, "zerver/closed_realm.html",
context={"closed_domain_name": realm.name})
if realm and realm.deactivated:
# The user is trying to register for a deactivated realm. Advise them to
# contact support.
return render(request, "zerver/deactivated.html",
context={"deactivated_domain_name": realm.name,
"zulip_administrator": settings.ZULIP_ADMINISTRATOR})
try:
if existing_user_profile is not None and existing_user_profile.is_mirror_dummy:
# Mirror dummy users to be activated must be inactive
is_inactive(email)
else:
# Other users should not already exist at all.
user_email_is_unique(email)
except ValidationError:
return HttpResponseRedirect(reverse('django.contrib.auth.views.login') + '?email=' +
urllib.parse.quote_plus(email))
name_validated = False
full_name = None
if request.POST.get('from_confirmation'):
try:
del request.session['authenticated_full_name']
except KeyError:
pass
if realm is not None and realm.is_zephyr_mirror_realm:
# For MIT users, we can get an authoritative name from Hesiod.
# Technically we should check that this is actually an MIT
# realm, but we can cross that bridge if we ever get a non-MIT
# zephyr mirroring realm.
hesiod_name = compute_mit_user_fullname(email)
form = RegistrationForm(
initial={'full_name': hesiod_name if "@" not in hesiod_name else ""})
name_validated = True
elif settings.POPULATE_PROFILE_VIA_LDAP:
for backend in get_backends():
if isinstance(backend, LDAPBackend):
ldap_attrs = _LDAPUser(backend, backend.django_to_ldap_username(email)).attrs
try:
ldap_full_name = ldap_attrs[settings.AUTH_LDAP_USER_ATTR_MAP['full_name']][0]
request.session['authenticated_full_name'] = ldap_full_name
name_validated = True
# We don't use initial= here, because if the form is
# complete (that is, no additional fields need to be
# filled out by the user) we want the form to validate,
# so they can be directly registered without having to
# go through this interstitial.
form = RegistrationForm({'full_name': ldap_full_name})
# FIXME: This will result in the user getting
# validation errors if they have to enter a password.
# Not relevant for ONLY_SSO, though.
break
except TypeError:
# Let the user fill out a name and/or try another backend
form = RegistrationForm()
elif 'full_name' in request.POST:
form = RegistrationForm(
initial={'full_name': request.POST.get('full_name')}
)
else:
form = RegistrationForm()
else:
postdata = request.POST.copy()
if name_changes_disabled(realm):
# If we populate profile information via LDAP and we have a
# verified name from you on file, use that. Otherwise, fall
# back to the full name in the request.
try:
postdata.update({'full_name': request.session['authenticated_full_name']})
name_validated = True
except KeyError:
pass
form = RegistrationForm(postdata)
if not password_auth_enabled(realm):
form['password'].field.required = False
if form.is_valid():
if password_auth_enabled(realm):
password = form.cleaned_data['password']
else:
# SSO users don't need no passwords
password = None
if realm_creation:
string_id = form.cleaned_data['realm_subdomain']
realm_name = form.cleaned_data['realm_name']
org_type = int(form.cleaned_data['realm_org_type'])
realm = do_create_realm(string_id, realm_name, org_type=org_type)[0]
set_default_streams(realm, settings.DEFAULT_NEW_REALM_STREAMS)
full_name = form.cleaned_data['full_name']
short_name = email_to_username(email)
first_in_realm = len(UserProfile.objects.filter(realm=realm, is_bot=False)) == 0
# FIXME: sanitize email addresses and fullname
if existing_user_profile is not None and existing_user_profile.is_mirror_dummy:
user_profile = existing_user_profile
do_activate_user(user_profile)
do_change_password(user_profile, password)
do_change_full_name(user_profile, full_name)
else:
user_profile = do_create_user(email, password, realm, full_name, short_name,
prereg_user=prereg_user,
tos_version=settings.TOS_VERSION,
newsletter_data={"IP": request.META['REMOTE_ADDR']})
if first_in_realm:
do_change_is_admin(user_profile, True)
if realm_creation and settings.REALMS_HAVE_SUBDOMAINS:
# Because for realm creation, registration happens on the
# root domain, we need to log them into the subdomain for
# their new realm.
return redirect_and_log_into_subdomain(realm, full_name, email)
# This dummy_backend check below confirms the user is
# authenticating to the correct subdomain.
return_data = {} # type: Dict[str, bool]
auth_result = authenticate(username=user_profile.email,
realm_subdomain=realm.subdomain,
return_data=return_data,
use_dummy_backend=True)
if return_data.get('invalid_subdomain'):
# By construction, this should never happen.
logging.error("Subdomain mismatch in registration %s: %s" % (
realm.subdomain, user_profile.email,))
return redirect('/')
login(request, auth_result)
return HttpResponseRedirect(realm.uri + reverse('zerver.views.home.home'))
return render(
request,
'zerver/register.html',
context={'form': form,
'email': email,
'key': key,
'full_name': request.session.get('authenticated_full_name', None),
'lock_name': name_validated and name_changes_disabled(realm),
# password_auth_enabled is normally set via our context processor,
# but for the registration form, there is no logged in user yet, so
# we have to set it here.
'creating_new_team': realm_creation,
'realms_have_subdomains': settings.REALMS_HAVE_SUBDOMAINS,
'password_auth_enabled': password_auth_enabled(realm),
}
)
def create_preregistration_user(email, request, realm_creation=False):
# type: (Text, HttpRequest, bool) -> HttpResponse
realm_str = request.session.pop('realm_str', None)
if realm_str is not None:
# realm_str was set in accounts_home_with_realm_str.
# The user is trying to sign up for a completely open realm,
# so create them a PreregistrationUser for that realm
return PreregistrationUser.objects.create(email=email,
realm=get_realm(realm_str),
realm_creation=realm_creation)
return PreregistrationUser.objects.create(email=email, realm_creation=realm_creation)
def accounts_home_with_realm_str(request, realm_str):
# type: (HttpRequest, str) -> HttpResponse
if not settings.REALMS_HAVE_SUBDOMAINS and completely_open(get_realm(realm_str)):
# You can sign up for a completely open realm through a
# special registration path that contains the domain in the
# URL. We store this information in the session rather than
# elsewhere because we don't have control over URL or form
# data for folks registering through OpenID.
request.session["realm_str"] = realm_str
return accounts_home(request)
else:
return HttpResponseRedirect(reverse('zerver.views.registration.accounts_home'))
def send_registration_completion_email(email, request, realm_creation=False):
# type: (str, HttpRequest, bool) -> Confirmation
"""
Send an email with a confirmation link to the provided e-mail so the user
can complete their registration.
"""
prereg_user = create_preregistration_user(email, request, realm_creation)
context = {'support_email': settings.ZULIP_ADMINISTRATOR,
'verbose_support_offers': settings.VERBOSE_SUPPORT_OFFERS}
return Confirmation.objects.send_confirmation(prereg_user, email,
additional_context=context,
host=request.get_host())
def redirect_to_email_login_url(email):
# type: (str) -> HttpResponseRedirect
login_url = reverse('django.contrib.auth.views.login')
redirect_url = login_url + '?email=' + urllib.parse.quote_plus(email)
return HttpResponseRedirect(redirect_url)
def create_realm(request, creation_key=None):
# type: (HttpRequest, Optional[Text]) -> HttpResponse
if not settings.OPEN_REALM_CREATION:
if creation_key is None:
return render(request, "zerver/realm_creation_failed.html",
context={'message': _('New organization creation disabled.')})
elif not check_key_is_valid(creation_key):
return render(request, "zerver/realm_creation_failed.html",
context={'message': _('The organization creation link has expired'
' or is not valid.')})
# When settings.OPEN_REALM_CREATION is enabled, anyone can create a new realm,
# subject to a few restrictions on their email address.
if request.method == 'POST':
form = RealmCreationForm(request.POST)
if form.is_valid():
email = form.cleaned_data['email']
confirmation_key = send_registration_completion_email(email, request, realm_creation=True).confirmation_key
if settings.DEVELOPMENT:
request.session['confirmation_key'] = {'confirmation_key': confirmation_key}
if (creation_key is not None and check_key_is_valid(creation_key)):
RealmCreationKey.objects.get(creation_key=creation_key).delete()
return HttpResponseRedirect(reverse('send_confirm', kwargs={'email': email}))
try:
email = request.POST['email']
user_email_is_unique(email)
except ValidationError:
# Maybe the user is trying to log in
return redirect_to_email_login_url(email)
else:
form = RealmCreationForm()
return render(request,
'zerver/create_realm.html',
context={'form': form, 'current_url': request.get_full_path},
)
def confirmation_key(request):
# type: (HttpRequest) -> HttpResponse
return json_success(request.session.get('confirmation_key'))
def get_realm_from_request(request):
# type: (HttpRequest) -> Realm
if settings.REALMS_HAVE_SUBDOMAINS:
realm_str = get_subdomain(request)
else:
realm_str = request.session.get("realm_str")
return get_realm(realm_str)
def accounts_home(request):
# type: (HttpRequest) -> HttpResponse
realm = get_realm_from_request(request)
if request.method == 'POST':
form = HomepageForm(request.POST, realm=realm)
if form.is_valid():
email = form.cleaned_data['email']
send_registration_completion_email(email, request)
return HttpResponseRedirect(reverse('send_confirm', kwargs={'email': email}))
try:
email = request.POST['email']
# Note: We don't check for uniqueness
is_inactive(email)
except ValidationError:
return redirect_to_email_login_url(email)
else:
form = HomepageForm(realm=realm)
return render(request,
'zerver/accounts_home.html',
context={'form': form, 'current_url': request.get_full_path},
)
def generate_204(request):
# type: (HttpRequest) -> HttpResponse
return HttpResponse(content=None, status=204)
def send_find_my_team_emails(user_profile):
# type: (UserProfile) -> None
text_template = 'zerver/emails/find_team/find_team_email.txt'
html_template = 'zerver/emails/find_team/find_team_email.html'
context = {'user_profile': user_profile}
text_content = loader.render_to_string(text_template, context)
html_content = loader.render_to_string(html_template, context)
sender = settings.NOREPLY_EMAIL_ADDRESS
recipients = [user_profile.email]
subject = loader.render_to_string('zerver/emails/find_team/find_team_email.subject').strip()
send_mail(subject, text_content, sender, recipients, html_message=html_content)
def find_my_team(request):
# type: (HttpRequest) -> HttpResponse
url = reverse('zerver.views.registration.find_my_team')
emails = [] # type: List[Text]
if request.method == 'POST':
form = FindMyTeamForm(request.POST)
if form.is_valid():
emails = form.cleaned_data['emails']
for user_profile in UserProfile.objects.filter(email__in=emails):
send_find_my_team_emails(user_profile)
# Note: Show all the emails in the result otherwise this
# feature can be used to ascertain which email addresses
# are associated with Zulip.
data = urllib.parse.urlencode({'emails': ','.join(emails)})
return redirect(url + "?" + data)
else:
form = FindMyTeamForm()
result = request.GET.get('emails')
if result:
for email in result.split(','):
try:
validators.validate_email(email)
emails.append(email)
except ValidationError:
pass
return render(request,
'zerver/find_my_team.html',
context={'form': form, 'current_url': lambda: url,
'emails': emails},)