# HG changeset patch
# User Mads Kiilerich <madski@unity3d.com>
# Date 1448585219 -3600
# Node ID 6c7efed20abc43d5e330d5063dfbb80273c403ff
# Parent  87aef0cb5a6a21285b1bd6f9ffe8e37c4b5739ab
auth: only local passwords can be reset

Do for password reset what de9a3152c206 did for password change.

diff -r 87aef0cb5a6a -r 6c7efed20abc kallithea/model/user.py
--- a/kallithea/model/user.py	Fri Nov 27 01:39:21 2015 +0100
+++ b/kallithea/model/user.py	Fri Nov 27 01:46:59 2015 +0100
@@ -278,6 +278,11 @@
         from kallithea.lib.hooks import log_delete_user
         log_delete_user(user.get_dict(), cur_user)
 
+    def can_change_password(self, user):
+        from kallithea.lib import auth_modules
+        managed_fields = auth_modules.get_managed_fields(user)
+        return 'password' not in managed_fields
+
     def get_reset_password_token(self, user, timestamp, session_id):
         """
         The token is a 40-digit hexstring, calculated as a HMAC-SHA1.
@@ -332,18 +337,21 @@
         user = User.get_by_email(user_email)
         timestamp = int(time.time())
         if user is not None:
-            log.debug('password reset user %s found', user)
-            token = self.get_reset_password_token(user,
-                                                  timestamp,
-                                                  h.authentication_token())
-            # URL must be fully qualified; but since the token is locked to
-            # the current browser session, we must provide a URL with the
-            # current scheme and hostname, rather than the canonical_url.
-            link = h.url('reset_password_confirmation', qualified=True,
-                         email=user_email,
-                         timestamp=timestamp,
-                         token=token)
-
+            if self.can_change_password(user):
+                log.debug('password reset user %s found', user)
+                token = self.get_reset_password_token(user,
+                                                      timestamp,
+                                                      h.authentication_token())
+                # URL must be fully qualified; but since the token is locked to
+                # the current browser session, we must provide a URL with the
+                # current scheme and hostname, rather than the canonical_url.
+                link = h.url('reset_password_confirmation', qualified=True,
+                             email=user_email,
+                             timestamp=timestamp,
+                             token=token)
+            else:
+                log.debug('password reset user %s found but was managed', user)
+                token = link = None
             reg_type = EmailNotificationModel.TYPE_PASSWORD_RESET
             body = EmailNotificationModel().get_email_tmpl(
                 reg_type, 'txt',
@@ -397,6 +405,8 @@
         from kallithea.lib import auth
         user = User.get_by_email(user_email)
         if user is not None:
+            if not self.can_change_password(user):
+                raise Exception('trying to change password for external user')
             user.password = auth.get_crypt_password(new_passwd)
             Session().add(user)
             Session().commit()
diff -r 87aef0cb5a6a -r 6c7efed20abc kallithea/templates/email_templates/password_reset.html
--- a/kallithea/templates/email_templates/password_reset.html	Fri Nov 27 01:39:21 2015 +0100
+++ b/kallithea/templates/email_templates/password_reset.html	Fri Nov 27 01:46:59 2015 +0100
@@ -4,9 +4,13 @@
 <h4>${_('Hello %s') % user}</h4>
 
 <p>${_('We have received a request to reset the password for your account.')}</p>
+%if reset_token is None:
+<p>${_('This account is however managed outside this system and the password cannot be changed here.')}</p>
+%else:
 <p>${_('To set a new password, click the following link')}:</p>
 <p><a href="${reset_url}">${reset_url}</a></p>
 
 <p>${_("Should you not be able to use the link above, please type the following code into the password reset form")}: <code>${reset_token}</code></p>
+%endif
 
 <p>${_("If it weren't you who requested the password reset, just disregard this message.")}</p>
diff -r 87aef0cb5a6a -r 6c7efed20abc kallithea/templates/email_templates/password_reset.txt
--- a/kallithea/templates/email_templates/password_reset.txt	Fri Nov 27 01:39:21 2015 +0100
+++ b/kallithea/templates/email_templates/password_reset.txt	Fri Nov 27 01:46:59 2015 +0100
@@ -3,11 +3,15 @@
 
 ${_('Hello %s') % user|n,unicode}
 
-${_('We have received a request to reset the password for your account..')|n,unicode}
+${_('We have received a request to reset the password for your account.')|n,unicode}
+%if reset_token is None:
+${_('This account is however managed outside this system and the password cannot be changed here.')|n,unicode}
+%else:
 ${_('To set a new password, click the following link')|n,unicode}:
 
 ${reset_url|n,unicode}
 
 ${_("Should you not be able to use the link above, please type the following code into the password reset form")|n,unicode}: ${reset_token|n,unicode}
+%endif
 
 ${_("If it weren't you who requested the password reset, just disregard this message.")|n,unicode}