- Changed role name from not_confirmed into unverified

- Added a unique salt into confirmation link for each user
- Added a test

Author: orronai

lms/lmsdb/models.py

@@ -34,7 +34,7 @@
 
 class RoleOptions(enum.Enum):
     BANNED = 'Banned'
-    NOT_CONFIRMED = 'Not_Confirmed'
+    UNVERIFIED = 'Unverified'
     STUDENT = 'Student'
     STAFF = 'Staff'
     VIEWER = 'Viewer'
@@ -68,7 +68,7 @@ class Role(BaseModel):
         (RoleOptions.STAFF.value, RoleOptions.STAFF.value),
         (RoleOptions.VIEWER.value, RoleOptions.VIEWER.value),
         (RoleOptions.STUDENT.value, RoleOptions.STUDENT.value),
-        (RoleOptions.NOT_CONFIRMED.value, RoleOptions.NOT_CONFIRMED.value),
+        (RoleOptions.UNVERIFIED.value, RoleOptions.UNVERIFIED.value),
         (RoleOptions.BANNED.value, RoleOptions.BANNED.value),
     ))
 
@@ -80,8 +80,8 @@ def get_banned_role(cls) -> 'Role':
         return cls.get(Role.name == RoleOptions.BANNED.value)
 
     @classmethod
-    def get_not_confirmed_role(cls) -> 'Role':
-        return cls.get(Role.name == RoleOptions.NOT_CONFIRMED.value)
+    def get_unverified_role(cls) -> 'Role':
+        return cls.get(Role.name == RoleOptions.UNVERIFIED.value)
 
     @classmethod
     def get_student_role(cls) -> 'Role':
@@ -107,8 +107,8 @@ def is_banned(self) -> bool:
         return self.name == RoleOptions.BANNED.value
 
     @property
-    def is_not_confirmed(self) -> bool:
-        return self.name == RoleOptions.NOT_CONFIRMED.value
+    def is_unverified(self) -> bool:
+        return self.name == RoleOptions.UNVERIFIED.value
 
     @property
     def is_student(self) -> bool:

lms/lmsweb/admin.py

@@ -69,6 +69,6 @@ class AdminCommentTextView(AdminModelView):
 admin = Admin(
     webapp,
     name='LMS',
-    template_mode='bootstrap3',
+    template_mode='bootstrap4',
     index_view=MyAdminIndexView(),  # NOQA
 )

lms/lmsweb/config.py.example

@@ -8,6 +8,7 @@ SECRET_KEY = ''
 MAILGUN_API_KEY = os.getenv('MAILGUN_API_KEY')
 MAILGUN_DOMAIN = os.getenv('MAILGUN_DOMAIN', 'mail.pythonic.guru')
 SERVER_ADDRESS = os.getenv('SERVER_ADDRESS', '127.0.0.1:5000')
+SITE_NAME = 'Learning Python'
 
 # MAIL CONFIGURATION
 MAIL_SERVER = 'smtp.gmail.com'
@@ -17,6 +18,9 @@ MAIL_USE_TLS = False
 MAIL_USERNAME = 'username@gmail.com'
 MAIL_PASSWORD = 'password'
 
+# ADMIN PANEL
+FLASK_ADMIN_FLUID_LAYOUT = True
+
 # SESSION_COOKIE_SECURE = True
 SESSION_COOKIE_HTTPONLY = True
 SESSION_COOKIE_SAMESITE = 'Lax'

lms/lmsweb/forms/register.py

@@ -0,0 +1,34 @@
+from flask_babel import gettext as _  # type: ignore
+from flask_wtf import FlaskForm
+from wtforms import PasswordField, StringField
+from wtforms.validators import Email, EqualTo, InputRequired, Length
+
+from lms.lmsweb.tools.validators import (
+    UniqueEmailRequired, UniqueUsernameRequired,
+)
+
+
+class RegisterForm(FlaskForm):
+    email = StringField(
+        'Email', validators=[
+            InputRequired(), Email(message=_('אימייל לא תקין')),
+            UniqueEmailRequired,
+        ],
+    )
+    username = StringField(
+        'Username', validators=[
+            InputRequired(), UniqueUsernameRequired, Length(min=4, max=20),
+        ],
+    )
+    fullname = StringField(
+        'Full Name', validators=[InputRequired(), Length(min=3, max=60)],
+    )
+    password = PasswordField(
+        'Password', validators=[InputRequired(), Length(min=8)], id='password',
+    )
+    confirm = PasswordField(
+        'Password Confirmation', validators=[
+            InputRequired(),
+            EqualTo('password', message=_('הסיסמאות שהוקלדו אינן זהות')),
+        ],
+    )

lms/lmsweb/tools/registration.py

@@ -1,54 +1,16 @@
 import csv
-from lms.lmsweb.tools.validators import (
-    UniqueEmailRequired, UniqueUsernameRequired,
-)
 import os
 import typing
 
-from flask import url_for
 from flask_babel import gettext as _  # type: ignore
-from flask_mail import Message  # type: ignore
-from flask_wtf import FlaskForm
-from itsdangerous import URLSafeTimedSerializer
-from wtforms import PasswordField, StringField
-from wtforms.validators import Email, EqualTo, InputRequired, Length
 
 from lms.lmsdb import models
-from lms.lmsweb import config, webapp, webmail
+from lms.lmsweb import config
 from lms.utils.log import log
 
 import requests
 
 
-SERIALIZER = URLSafeTimedSerializer(config.SECRET_KEY)
-
-
-class RegisterForm(FlaskForm):
-    email = StringField(
-        'Email', validators=[
-            InputRequired(), Email(message=_('אימייל לא תקין')),
-            UniqueEmailRequired, Length(max=60),
-        ],
-    )
-    username = StringField(
-        'Username', validators=[
-            InputRequired(), UniqueUsernameRequired, Length(min=4, max=20),
-        ],
-    )
-    fullname = StringField(
-        'Full Name', validators=[InputRequired(), Length(min=3, max=60)],
-    )
-    password = PasswordField(
-        'Password', validators=[InputRequired(), Length(min=8)], id='password',
-    )
-    confirm = PasswordField(
-        'Password Confirmation', validators=[
-            InputRequired(),
-            EqualTo('password', message=_('הסיסמאות שהוקלדו אינן זהות')),
-        ],
-    )
-
-
 class UserToCreate(typing.NamedTuple):
     name: str
     email: str
@@ -167,22 +129,6 @@ def _build_user_text(user: UserToCreate) -> str:
         return msg
 
 
-def generate_confirmation_token(email: str) -> str:
-    return SERIALIZER.dumps(email, salt='email-confirmation')
-
-
-def send_confirmation_mail(email: str, fullname: str) -> None:
-    token = generate_confirmation_token(email)
-    msg = Message(
-        'Confirmation Email - Learn Python',
-        sender=f'lms@{config.MAILGUN_DOMAIN}', recipients=[email],
-    )
-    link = url_for('confirm_email', token=token, _external=True)
-    msg.body = f'Hey {fullname},\nYour confirmation link is: {link}'
-    if not webapp.config.get('TESTING'):
-        webmail.send(msg)
-
-
 if __name__ == '__main__':
     registration = UserRegistrationCreator.from_csv_file(config.USERS_CSV)
     print(registration.users_to_create)  # noqa: T001

lms/lmsweb/translations/en/LC_MESSAGES/messages.po

@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version:  lmsweb-1.0\n"
 "Report-Msgid-Bugs-To: bugs@mesicka.com\n"
-"POT-Creation-Date: 2021-09-11 09:07+0300\n"
+"POT-Creation-Date: 2021-09-11 19:16+0300\n"
 "PO-Revision-Date: 2020-09-16 18:29+0300\n"
 "Last-Translator: Or Ronai\n"
 "Language: en\n"
@@ -45,36 +45,36 @@ msgstr "The automatic checker couldn't run your code."
 msgid "אחי, בדקת את הקוד שלך?"
 msgstr "Bro, did you check your code?"
 
-#: lmsweb/views.py:113
+#: lmsweb/views.py:115
 #, fuzzy
 msgid "שם המשתמש או הסיסמה שהוזנו לא תקינים"
 msgstr "Invalid username or password"
 
-#: lmsweb/views.py:115
+#: lmsweb/views.py:120
 msgid "עליך לאשר את המייל"
 msgstr "You have to confirm your registration with the link sent to your email"
 
-#: lmsweb/views.py:139
+#: lmsweb/views.py:144
 msgid "ההרשמה בוצעה בהצלחה"
 msgstr "Registration successfully"
 
-#: lmsweb/views.py:165
+#: lmsweb/views.py:168
 msgid "המשתמש שלך אומת בהצלחה, כעת הינך יכול להתחבר למערכת"
 msgstr "Your user has been successfully confirmed, you can now login"
 
-#: lmsweb/views.py:172
+#: lmsweb/views.py:176
 msgid "קישור האימות פג תוקף, קישור חדש נשלח אל תיבת המייל שלך"
 msgstr "The confirmation link is expired, new link has been sent to your email"
 
-#: lmsweb/tools/registration.py:29
+#: lmsweb/forms/register.py:14
 msgid "אימייל לא תקין"
 msgstr "Invalid email"
 
-#: lmsweb/tools/registration.py:47
+#: lmsweb/forms/register.py:32
 msgid "הסיסמאות שהוקלדו אינן זהות"
 msgstr "The passwords are not identical"
 
-#: lmsweb/tools/registration.py:143
+#: lmsweb/tools/registration.py:105
 msgid "מערכת הגשת התרגילים"
 msgstr "Exercuse submission system"
 
@@ -86,6 +86,16 @@ msgstr "The username already in use"
 msgid "האימייל כבר נמצא בשימוש"
 msgstr "The email already in use"
 
+#: models/register.py:31
+#, python-format
+msgid "מייל אימות - %(site_name)s"
+msgstr "Confirmation mail - %(site_name)s"
+
+#: models/register.py:39
+#, python-format
+msgid "שלום %(fullname)s,\n לינק האימות שלך למערכת הוא: %(link)s"
+msgstr "Hello %(fullname)s,\n Your confirmation link is: %(link)s"
+
 #: models/solutions.py:50
 #, python-format
 msgid "%(solver)s הגיב לך על בדיקת תרגיל \"%(subject)s\"."

lms/lmsweb/views.py

@@ -25,17 +25,18 @@
 from lms.lmsweb.config import (
     LANGUAGES, LIMITS_PER_HOUR, LIMITS_PER_MINUTE, LOCALE, MAX_UPLOAD_SIZE,
 )
+from lms.lmsweb.forms.register import RegisterForm
 from lms.lmsweb.manifest import MANIFEST
 from lms.lmsweb.redirections import (
     PERMISSIVE_CORS, get_next_url, login_manager,
 )
-from lms.lmsweb.tools.registration import (
-    RegisterForm, SERIALIZER, send_confirmation_mail,
-)
 from lms.models import (
     comments, notes, notifications, share_link, solutions, upload,
 )
 from lms.models.errors import FileSizeError, LmsError, UploadError, fail
+from lms.models.register import (
+    SERIALIZER, retrieve_salt, send_confirmation_mail,
+)
 from lms.utils.consts import RTL_LANGUAGES
 from lms.utils.files import (
     get_language_name_by_extension, get_mime_type_by_extention,
@@ -102,17 +103,21 @@ def login(login_message: Optional[str] = None):
     if request.method == 'POST':
         if (
             user is not None and user.is_password_valid(password)
-            and not user.role.is_not_confirmed
+            and not user.role.is_unverified
         ):
             login_user(user)
             return get_next_url(next_page)
+
         elif (
             user is None or not user.is_password_valid(password)
-            or user.role.is_not_confirmed
+            or user.role.is_unverified
         ):
             login_message = _('שם המשתמש או הסיסמה שהוזנו לא תקינים')
-            if user is not None and user.role.is_not_confirmed:
-                login_message = _('עליך לאשר את המייל')
+            error_details = {'next': next_page, 'login_message': login_message}
+            return redirect(url_for('login', **error_details))
+
+        elif user.is_unverified:
+            login_message = _('עליך לאשר את המייל')
             error_details = {'next': next_page, 'login_message': login_message}
             return redirect(url_for('login', **error_details))
 
@@ -122,39 +127,37 @@ def login(login_message: Optional[str] = None):
 @webapp.route('/signup', methods=['GET', 'POST'])
 def signup():
     form = RegisterForm()
-    if form.validate_on_submit():
-        User.get_or_create(**{
-            User.mail_address.name: form.email.data,
-            User.username.name: form.username.data,
-        }, defaults={
-            User.fullname.name: form.fullname.data,
-            User.role.name: Role.get_not_confirmed_role(),
-            User.password.name: form.password.data,
-            User.api_key.name: User.random_password(),
-        })
-
-        send_confirmation_mail(form.email.data, form.fullname.data)
-
-        return redirect(url_for(
-            'login', login_message=_('ההרשמה בוצעה בהצלחה'),
-        ))
-
-    return render_template('signup.html', form=form)
+    if not form.validate_on_submit():
+        return render_template('signup.html', form=form)
+
+    user = User.get_or_create(**{
+        User.mail_address.name: form.email.data,
+        User.username.name: form.username.data,
+    }, defaults={
+        User.fullname.name: form.fullname.data,
+        User.role.name: Role.get_unverified_role(),
+        User.password.name: form.password.data,
+        User.api_key.name: User.random_password(),
+    })
+    send_confirmation_mail(user[0])
+    return redirect(url_for(
+        'login', login_message=_('ההרשמה בוצעה בהצלחה'),
+    ))
 
 
-@webapp.route('/confirm-email/<token>')
-def confirm_email(token: str):
+@webapp.route('/confirm-email/<int:user_id>/<token>')
+def confirm_email(user_id: int, token: str):
     try:
-        email = SERIALIZER.loads(
-            token, salt='email-confirmation', max_age=3600,
-        )
-        user = User.get_or_none(User.mail_address == email)
+        user = User.get_or_none(User.id == user_id)
         if user is None:
-            return fail(404, f'No such user with email {email}.')
-        if not user.role.is_not_confirmed:
+            return fail(404, f'No such user with id {user_id}.')
+
+        if not user.role.is_unverified:
             return fail(
                 403, f'User has been already confirmed {user.username}',
             )
+
+        SERIALIZER.loads(token, salt=retrieve_salt(user), max_age=3600)
         update = User.update(
             role=Role.get_student_role(),
         ).where(User.username == user.username)
@@ -165,8 +168,9 @@ def confirm_email(token: str):
                 _('המשתמש שלך אומת בהצלחה, כעת הינך יכול להתחבר למערכת'),
             ),
         ))
+
     except SignatureExpired:
-        send_confirmation_mail(email, user.fullname)
+        send_confirmation_mail(user)
         return redirect(url_for(
             'login', login_message=(
                 _('קישור האימות פג תוקף, קישור חדש נשלח אל תיבת המייל שלך'),