Skip to content

fix(auth): clear force-reset flag when password is written outside web flow #337

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
level09 wants to merge 1 commit into
base: main
Choose a base branch
from
+15 −8
Open

fix(auth): clear force-reset flag when password is written outside web flow #337

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 3 additions & 7 deletions enferno/commands.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,7 @@
from enferno.utils.db_alignment_helpers import DBAlignmentChecker
from enferno.utils.logging_utils import get_logger
from sqlalchemy import text
from enferno.admin.models import Bulletin
from enferno.admin.models.DynamicField import DynamicField
from enferno.admin.models.DynamicFormHistory import DynamicFormHistory
from enferno.utils.date_helper import DateHelper
from enferno.utils.form_history_utils import record_form_history

from enferno.utils.validation_utils import validate_password_policy
Expand Down Expand Up @@ -255,7 +252,7 @@ def reset(username: str, password: str) -> None:
except ValueError as e:
click.echo(str(e))
return
user.password = hash_password(password)
user.set_password(password)
user.save()
click.echo("User password has been reset successfully.")
logger.info("User password has been reset successfully.")
Expand Down Expand Up @@ -303,7 +300,7 @@ def generate_password(length: int = 16) -> str:
results.append((user.username, user.email, new_password))

if not dry_run:
user.password = hash_password(new_password)
user.set_password(new_password)
user.set_security_reset_key()
user.save()

Expand Down Expand Up @@ -528,7 +525,6 @@ def fail(msg):
fail("Redis not reachable")

try:
from celery import current_app as celery_app
from enferno.tasks import celery

inspector = celery.control.inspect(timeout=2)
Expand Down Expand Up @@ -771,7 +767,7 @@ def status() -> None:
total_extracted = sum(s["count"] for s in status_map.values())
pending = total_media - total_extracted

click.echo(f"\nOCR Status Summary")
click.echo("\nOCR Status Summary")
click.echo(f"{'─' * 40}")
click.echo(f"Total media: {total_media:,}")
click.echo(f"Pending (no OCR): {pending:,}")
Expand Down
13 changes: 12 additions & 1 deletion enferno/user/models.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -234,6 +234,17 @@ def unset_security_reset_key(self) -> None:
key = f"{SECURITY_KEY_NAMESPACE}:{self.id}"
rds.delete(key)

def set_password(self, password: str) -> None:
"""Hash and set the user password, clearing any active force-reset flag.

Centralizing this on the model keeps the force-reset Redis flag in sync
with the stored hash, regardless of whether the password is written via
a CLI command or the admin UI. The web /change flow continues to clear
the flag via the `password_changed` signal.
"""
self.password = hash_password(password)
self.unset_security_reset_key()

def roles_in(self, roles: list) -> bool:
chk = [self.has_role(r) for r in roles]
return any(chk)
Expand Down Expand Up @@ -354,7 +365,7 @@ def from_json(self, item: dict) -> "User":
# check password is not empty
password = item.get("password")
if password:
self.password = hash_password(password)
self.set_password(password)

self.name = item.get("name")

Expand Down
Loading