完善contest权限控制

2017-10-27 18:36:29 +08:00
parent b694000ab9
commit 728373a5ff
19 changed files with 219 additions and 162 deletions
--- a/account/views/oj.py
+++ b/account/views/oj.py
@@ -21,7 +21,7 @@ from ..models import User, UserProfile
 from ..serializers import (ApplyResetPasswordSerializer, ResetPasswordSerializer,
                           UserChangePasswordSerializer, UserLoginSerializer,
                           UserRegisterSerializer, UsernameOrEmailCheckSerializer,
-                           RankInfoSerializer)
+                           RankInfoSerializer, UserChangeEmailSerializer)
 from ..serializers import (TwoFactorAuthCodeSerializer, UserProfileSerializer,
                           EditUserProfileSerializer, AvatarUploadForm)
 from ..tasks import send_email_async
@@ -176,11 +176,6 @@ class UserLoginAPI(APIView):
        else:
            return self.error("Invalid username or password")

-    # todo remove this, only for debug use
-    def get(self, request):
-        auth.login(request, auth.authenticate(username=request.GET["username"], password=request.GET["password"]))
-        return self.success()
-

 class UserLogoutAPI(APIView):
    def get(self, request):
@@ -233,6 +228,27 @@ class UserRegisterAPI(APIView):
        return self.success("Succeeded")


+class UserChangeEmailAPI(APIView):
+    @validate_serializer(UserChangeEmailSerializer)
+    @login_required
+    def post(self, request):
+        data = request.data
+        user = auth.authenticate(username=request.user.username, password=data["password"])
+        if user:
+            if user.two_factor_auth:
+                if "tfa_code" not in data:
+                    return self.error("tfa_required")
+                if not OtpAuth(user.tfa_token).valid_totp(data["tfa_code"]):
+                    return self.error("Invalid two factor verification code")
+            if User.objects.filter(email=data["new_email"]).exists():
+                return self.error("The email is owned by other account")
+            user.email = data["new_email"]
+            user.save()
+            return self.success("Succeeded")
+        else:
+            return self.error("Wrong password")
+
+
 class UserChangePasswordAPI(APIView):
    @validate_serializer(UserChangePasswordSerializer)
    @login_required
@@ -244,7 +260,11 @@ class UserChangePasswordAPI(APIView):
        username = request.user.username
        user = auth.authenticate(username=username, password=data["old_password"])
        if user:
-            # TODO: check tfa?
+            if user.two_factor_auth:
+                if "tfa_code" not in data:
+                    return self.error("tfa_required")
+                if not OtpAuth(user.tfa_token).valid_totp(data["tfa_code"]):
+                    return self.error("Invalid two factor verification code")
            user.set_password(data["new_password"])
            user.save()
            return self.success("Succeeded")