import string
DATABASE = '/tmp/cavote.db'
+PASSWD_SALT = 'change this value to some random chars!'
SECRET_KEY = '{J@uRKO,xO-PK7B,jF?>iHbxLasF9s#zjOoy=+:'
DEBUG = True
TITLE = u"Cavote FFDN"
EMAIL = '"' + TITLE + '"' + ' <' + u"cavote@ffdn.org" + '>'
-VERSION = "cavote 0.1.0"
+VERSION = "cavote 0.1.1"
SMTP_SERVER = "10.33.33.30"
PATTERNS = {u'Oui/Non': [u'Oui', u'Non'], u'Oui/Non/Blanc': [u'Oui', u'Non', u'Blanc'], u'Oui/Non/Peut-être': [u'Oui', u'Non', u'Peut-être']}
#----------------
# Login / Logout
-def valid_login(username, password):
- return query_db('select * from users where email = ? and password = ?', [username, crypt(password)], one=True)
+def valid_login(email, password):
+ # get user key
+ user_key = query_db('select key from users where email = ?', (email,),
+ one=True)
+ if not user_key:
+ # no such user
+ return None
+ user_key = user_key['key']
+ # try password
+ return query_db('select * from users where email = ? and password = ?',
+ [email, crypt(password, user_key)], one=True)
def connect_user(user):
session['user'] = user
def disconnect_user():
session.pop('user', None)
-def crypt(passwd):
- return hashlib.sha1(passwd).hexdigest()
+def crypt(passwd, user_key):
+ # the per-user salt should not be stored in the db
+ # storing the passwd... but this is better than nothing
+ per_user_salt = hashlib.sha1(user_key).hexdigest()
+ salt_passwd = '%s%s%s' % (app.config['PASSWD_SALT'], per_user_salt, passwd)
+ return hashlib.sha1(salt_passwd).hexdigest()
def keygen():
return hashlib.sha1(os.urandom(24)).hexdigest()
if user is None:
flash('Cet utilisateur n\'existe pas !', 'error')
else:
- key = keygen()
+ key = 'v%s' % keygen() # start with v: valid key
g.db.execute('update users set key = ? where id = ?', [key, user['id']])
g.db.commit()
link = request.url_root + url_for('login_key', userid=user['id'], key=key)
@app.route('/login/<userid>/<key>')
def login_key(userid, key):
user = query_db('select * from users where id = ? and key = ?', [userid, key], one=True)
- if user is None or user['key'] == "invalid":
+ if user is None or user['key'][0] != "v":
abort(404)
else:
connect_user(user)
- g.db.execute('update users set key = "invalid" where id = ?', [user['id']])
- g.db.commit()
flash(u"Veuillez mettre à jour votre mot de passe", 'info')
return redirect(url_for('user_password', userid=user['id']))
abort(401)
if request.method == 'POST':
if request.form['password'] == request.form['password2']:
- g.db.execute('update users set password = ? where id = ?', [crypt(request.form['password']), session['user']['id']])
+ # new (invalid) key
+ key = 'i%s' % keygen() # start with i: invalid key
+ print "\n\nchange key for %s\n" % key # FIXME TMP
+ g.db.execute('update users set password = ?, key = ? where id = ?',
+ [crypt(request.form['password'], key),
+ key, session['user']['id']])
g.db.commit()
flash(u'Votre mot de passe a été mis à jour.', 'success')
else:
if query_db('select * from users where email=?', [request.form['email']], one=True) is None:
if request.form['username']:
if query_db('select * from users where name=?', [request.form['username']], one=True) is None:
- password = keygen()
admin = 0
if 'admin' in request.form.keys():
admin = 1
- key = keygen()
+ key = 'v%s' % keygen()
g.db.execute('insert into users (email, name, organization, password, is_admin, key) values (?, ?, ?, ?, ?, ?)',
- [request.form['email'], request.form['username'], request.form['organization'], password, admin, key])
+ [request.form['email'],
+ request.form['username'],
+ request.form['organization'],
+ '', admin, key])
g.db.commit()
user = query_db('select * from users where email = ?', [request.form["email"]], one=True)
if user:
-- Test data
-INSERT INTO users (id, email, password, name, organization, is_admin, key) VALUES (1, "admin@admin.fr", "d033e22ae348aeb5660fc2140aec35850c4da997", "Toto (admin) Tata", "World corp", 1, "test"); -- mdp = admin
+INSERT INTO users (id, email, password, name, organization, is_admin, key)
+VALUES (1, "admin@admin.fr", "", "Toto (admin) Tata", "World corp", 1, "victory");
+-- to login, go to /login/1/victory
INSERT INTO groups (id, name, system) VALUES (1, "Tous", 1);
INSERT INTO groups (name) VALUES ("CA");
INSERT INTO groups (name) VALUES ("Membres");
INSERT INTO user_group (id_user, id_group) VALUES(1, 1);
-