From ee42cbd32355669304c63cbffe2c9d758e373fc2 Mon Sep 17 00:00:00 2001
From: Alejandro Sirgo Rica <asirgo@soleta.eu>
Date: Wed, 19 Jun 2024 11:17:34 +0200
Subject: views: make password optional in user/edit

Add the option to leave the password fields empty in the form.
When the passwords are not set the user keeps the old password
configuration.
Define a EditUserForm based on UserForm in forms/auth.py to remove
the InputRequired validator in the password fields.
Update the html template to make the password fields optional.
---
 ogcp/forms/auth.py                 |  9 ++++++++-
 ogcp/templates/auth/edit_user.html |  4 ++--
 ogcp/views.py                      | 32 ++++++++++++++++++++------------
 3 files changed, 30 insertions(+), 15 deletions(-)

(limited to 'ogcp')

diff --git a/ogcp/forms/auth.py b/ogcp/forms/auth.py
index 72afe23..d85931b 100644
--- a/ogcp/forms/auth.py
+++ b/ogcp/forms/auth.py
@@ -9,7 +9,7 @@ from wtforms import (
     Form, SubmitField, HiddenField, SelectField, BooleanField, IntegerField,
     StringField, RadioField, PasswordField, SelectMultipleField, widgets
 )
-from wtforms.validators import InputRequired
+from wtforms.validators import InputRequired, Optional
 from flask_wtf import FlaskForm
 from flask_babel import lazy_gettext as _l
 from flask_babel import _
@@ -55,6 +55,13 @@ class UserForm(FlaskForm):
     )
 
 
+class EditUserForm(UserForm):
+    def __init__(self, *args, **kwargs):
+        super(EditUserForm, self).__init__(*args, **kwargs)
+        self.pwd.validators = [Optional()]
+        self.pwd_confirm.validators = [Optional()]
+
+
 class DeleteUserForm(FlaskForm):
     username = HiddenField(
         validators=[InputRequired()]
diff --git a/ogcp/templates/auth/edit_user.html b/ogcp/templates/auth/edit_user.html
index b9e748d..3b10508 100644
--- a/ogcp/templates/auth/edit_user.html
+++ b/ogcp/templates/auth/edit_user.html
@@ -19,12 +19,12 @@
 
     <div class="form-group">
         {{ form.pwd.label(class_='form-label') }}
-        {{ form.pwd(class_='form-control') }}
+        <input type="password" name="pwd" class="form-control" placeholder="{{ _('Leave blank if not changing') }}">
     </div>
 
     <div class="form-group">
         {{ form.pwd_confirm.label(class_='form-label') }}
-        {{ form.pwd_confirm(class_='form-control') }}
+        <input type="password" name="pwd_confirm" class="form-control" placeholder="{{ _('Leave blank if not changing') }}">
     </div>
 
     <div class="form-group form-check">
diff --git a/ogcp/views.py b/ogcp/views.py
index b2c1994..f023d1f 100644
--- a/ogcp/views.py
+++ b/ogcp/views.py
@@ -25,7 +25,7 @@ from flask_login import (
 from pathlib import Path
 
 from ogcp.models import User
-from ogcp.forms.auth import LoginForm, UserForm, DeleteUserForm
+from ogcp.forms.auth import LoginForm, UserForm, DeleteUserForm, EditUserForm
 from ogcp.og_server import OGServer, servers
 from flask_babel import lazy_gettext as _l
 from flask_babel import gettext, _
@@ -2877,14 +2877,17 @@ def delete_server(server):
     return redirect(url_for('manage_servers'))
 
 
-def save_user(form):
+def save_user(form, preserve_pwd):
     username = form.username.data
 
-    pwd_hash = hash_password(form.pwd.data)
-    pwd_hash_confirm = hash_password(form.pwd_confirm.data)
-    if not pwd_hash == pwd_hash_confirm:
-        flash(_('Passwords do not match'), category='error')
-        return redirect(url_for('users'))
+    if preserve_pwd:
+        pwd_hash = form.pwd.data
+    else:
+        pwd_hash = hash_password(form.pwd.data)
+        pwd_hash_confirm = hash_password(form.pwd_confirm.data)
+        if not pwd_hash == pwd_hash_confirm:
+            flash(_('Passwords do not match'), category='error')
+            return redirect(url_for('users'))
 
     admin = form.admin.data
     scopes = form.scopes.data
@@ -2950,7 +2953,7 @@ def user_add_post():
         flash(_('This username already exists'), category='error')
         return redirect(url_for('users'))
 
-    return save_user(form)
+    return save_user(form, preserve_pwd=False)
 
 
 @app.route('/user/edit', methods=['GET'])
@@ -2966,7 +2969,7 @@ def user_edit_get():
         flash(_('User {} do not exists').format(username), category='error')
         return redirect(url_for('users'))
 
-    form = UserForm()
+    form = EditUserForm()
     form.username.data = user.get('USER')
     form.username.render_kw = {'readonly': True}
     form.admin.data = user.get('ADMIN')
@@ -2979,20 +2982,25 @@ def user_edit_get():
 @app.route('/user/edit', methods=['POST'])
 @login_required
 def user_edit_post():
-    form = UserForm(request.form)
+    form = EditUserForm(request.form)
     form.scopes.choices = get_center_choices()
     if not form.validate():
         flash(form.errors, category='error')
         return redirect(url_for('users'))
 
     username = form.username.data
-    if not get_user(username):
+    old_user_data = get_user(username)
+    if not old_user_data:
         flash(_('User {} do not exists').format(username), category='error')
         return redirect(url_for('users'))
 
+    preserve_pwd = (not form.pwd.data and not form.pwd_confirm.data)
+    if preserve_pwd:
+        form.pwd.data = old_user_data.get("PASS")
+
     delete_user(username)
 
-    return save_user(form)
+    return save_user(form, preserve_pwd)
 
 
 @app.route('/user/delete', methods=['GET'])
-- 
cgit v1.2.3-18-g5258