feat: Allow to activate trusted accounts only

2021-08-03 11:41:58 +02:00 · 2021-08-03 11:41:58 +02:00 · d656370aef
commit d656370aef
parent 0f1cd98a80
5 changed files with 40 additions and 44 deletions
--- a/userausfall/rest_api/serializers.py
+++ b/userausfall/rest_api/serializers.py
@ -1,25 +1,24 @@
 from rest_framework import serializers

-from userausfall.models import User
+from userausfall.models import User, TrustBridge


-class UserActivationSerializer(serializers.Serializer):
+class TrustBridgeSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = TrustBridge
+        fields = ["is_trusted"]
+
+
+class ActivateUserSerializer(serializers.Serializer):
    password = serializers.CharField()


-class UserSerializer(serializers.ModelSerializer):
-    confidant_email = serializers.EmailField()
+class RetrieveUserSerializer(serializers.ModelSerializer):
+    trust_bridge = TrustBridgeSerializer(required=False, read_only=True)

    class Meta:
        model = User
-        fields = ("pk", "email", "username", "confidant_email")
-        read_only_fields = ("email",)
-
-    def update(self, instance: User, validated_data):
-        confidant_email = validated_data.pop("confidant_email")
-        confidant, _ = User.objects.get_or_create(email=confidant_email)
-        instance.confidant_unconfirmed = confidant
-        return super().update(instance, validated_data)
+        fields = ["pk", "username", "trust_bridge"]


 class CreateUserSerializer(serializers.ModelSerializer):
--- a/userausfall/rest_api/views.py
+++ b/userausfall/rest_api/views.py
@ -5,8 +5,11 @@ from rest_framework.response import Response
 from djeveric import ConfirmationView
 from userausfall.models import User, MissingUserAttribute, PasswordMismatch
 from userausfall.confirmations import ConfidantConfirmation
-from userausfall.rest_api.permissions import UserPermission
-from userausfall.rest_api.serializers import UserSerializer, UserActivationSerializer, CreateUserSerializer
+from userausfall.rest_api.serializers import (
+    ActivateUserSerializer,
+    CreateUserSerializer,
+    TrustBridgeSerializer, RetrieveUserSerializer,
+)


 class ConfidantConfirmationView(ConfirmationView):
@ -17,13 +20,24 @@ class UserViewSet(viewsets.ModelViewSet):
    # permission_classes = [UserPermission]
    queryset = User.objects.all()

+    @action(detail=False)
+    def me(self, request):
+        """Retrieve user data for logged in user."""
+        user = request.user
+        serializer = RetrieveUserSerializer(user)
+        return Response(serializer.data)
+
    @action(detail=False, methods=["post"])
    def activate(self, request, pk=None):
        """Create the corresponding LDAP account."""
        user: User = request.user  # self.get_object()
-        serializer = UserActivationSerializer(data=request.data)
+        serializer = ActivateUserSerializer(data=request.data)
        if serializer.is_valid():
            try:
+                # We prevent untrusted user accounts from being activated via API.
+                # They might be activated via Admin or programmatically.
+                if not user.trust_bridge.is_trusted:
+                    raise MissingUserAttribute("User has no trusted trust bridge.")
                user.create_ldap_account(serializer.validated_data["password"])
            except (MissingUserAttribute, PasswordMismatch) as e:
                return Response({"message": str(e)}, status=status.HTTP_400_BAD_REQUEST)