Add check to force users to change password (#2284)

src/pretix/base/forms/user.py

@@ -55,6 +55,7 @@ class UserSettingsForm(forms.ModelForm):
         'pw_current_wrong': _("The current password you entered was not correct."),
         'pw_mismatch': _("Please enter the same password twice"),
         'rate_limit': _("For security reasons, please wait 5 minutes before you try again."),
+        'pw_equal': _("Please choose a password different to your current one.")
     }
 
     old_pw = forms.CharField(max_length=255,
@@ -158,6 +159,12 @@ class UserSettingsForm(forms.ModelForm):
                 code='pw_current'
             )
 
+        if password1 and password1 == old_pw:
+            raise forms.ValidationError(
+                self.error_messages['pw_equal'],
+                code='pw_equal'
+            )
+
         if password1:
             self.instance.set_password(password1)
 

src/pretix/base/migrations/0202_user_needs_password_change.py

@@ -0,0 +1,18 @@
+# Generated by Django 3.2.9 on 2021-11-04 13:05
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0201_invoiceline_event_location'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='user',
+            name='needs_password_change',
+            field=models.BooleanField(default=False),
+        ),
+    ]

src/pretix/base/models/auth.py

@@ -113,6 +113,8 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
     :type date_joined: datetime
     :param locale: The user's preferred locale code.
     :type locale: str
+    :param needs_password_change: Whether this user's password needs to be changed.
+    :type needs_password_change: bool
     :param timezone: The user's preferred timezone.
     :type timezone: str
     """
@@ -130,6 +132,8 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
                                    verbose_name=_('Is site admin'))
     date_joined = models.DateTimeField(auto_now_add=True,
                                        verbose_name=_('Date joined'))
+    needs_password_change = models.BooleanField(default=False,
+                                                verbose_name=_('Force user to select a new password'))
     locale = models.CharField(max_length=50,
                               choices=settings.LANGUAGES,
                               default=settings.LANGUAGE_CODE,

src/pretix/control/forms/users.py

@@ -70,6 +70,7 @@ class UserEditForm(forms.ModelForm):
             'require_2fa',
             'is_active',
             'is_staff',
+            'needs_password_change',
             'last_login'
         ]
 

src/pretix/control/middleware.py

@@ -69,6 +69,11 @@ class PermissionMiddleware:
         "user.settings.notifications.off",
     )
 
+    EXCEPTIONS_FORCED_PW_CHANGE = (
+        "user.settings",
+        "auth.logout"
+    )
+
     EXCEPTIONS_2FA = (
         "user.settings.2fa",
         "user.settings.2fa.add",
@@ -130,6 +135,9 @@ class PermissionMiddleware:
             if url_name not in ('user.reauth', 'auth.logout'):
                 return redirect(reverse('control:user.reauth') + '?next=' + quote(request.get_full_path()))
 
+        if request.user.needs_password_change and url_name not in self.EXCEPTIONS_FORCED_PW_CHANGE:
+            return redirect(reverse('control:user.settings') + '?next=' + quote(request.get_full_path()))
+
         if not request.user.require_2fa and settings.PRETIX_OBLIGATORY_2FA \
                 and url_name not in self.EXCEPTIONS_2FA:
             return redirect(reverse('control:user.settings.2fa'))

src/pretix/control/templates/pretixcontrol/base.html

@@ -429,6 +429,15 @@
                         </div>
                     {% endif %}
 
+                    {% if request.user.needs_password_change %}
+                        <div class="alert alert-warning">
+                            {% blocktrans trimmed %}
+                                For security reasons, please change your password before you continue. Afterwards you
+                                will be redirected to your original destination.
+                            {% endblocktrans %}
+                        </div>
+                    {% endif %}
+
                     {% block content %}
                     {% endblock %}
                     <footer>

src/pretix/control/templates/pretixcontrol/users/create.html

@@ -19,6 +19,7 @@
             {% bootstrap_field form.email layout='control' %}
             {% bootstrap_field form.new_pw layout='control' %}
             {% bootstrap_field form.new_pw_repeat layout='control' %}
+            {% bootstrap_field form.needs_password_change layout='control' %}
         </fieldset>
         <div class="form-group submit-group">
             <button type="submit" class="btn btn-primary btn-save">

src/pretix/control/templates/pretixcontrol/users/form.html

@@ -45,6 +45,7 @@
                     {% endif %}
                     {% bootstrap_field form.last_login layout='control' %}
                     {% bootstrap_field form.require_2fa layout='control' %}
+                    {% bootstrap_field form.needs_password_change layout='control' %}
                 </fieldset>
                 <fieldset>
                     <legend>{% trans "Team memberships" %}</legend>

src/pretix/control/views/user.py

@@ -226,6 +226,7 @@ class UserSettings(UpdateView):
         msgs = []
 
         if 'new_pw' in form.changed_data:
+            self.request.user.needs_password_change = False
             msgs.append(_('Your password has been changed.'))
 
         if 'email' in form.changed_data:
@@ -243,6 +244,8 @@ class UserSettings(UpdateView):
         return sup
 
     def get_success_url(self):
+        if "next" in self.request.GET and url_has_allowed_host_and_scheme(self.request.GET.get("next"), allowed_hosts=None):
+            return self.request.GET.get("next")
         return reverse('control:user.settings')