zulip/zerver/forms.py

from __future__ import absolute_import

from django import forms
from django.core.exceptions import ValidationError
from django.utils.safestring import mark_safe
from django.contrib.auth.forms import SetPasswordForm, AuthenticationForm, \
    PasswordResetForm
from django.conf import settings

import logging

from zerver.models import Realm, get_user_profile_by_email, UserProfile, \
    completely_open, resolve_email_to_domain, get_realm, get_unique_open_realm
from zerver.lib.actions import do_change_password, is_inactive
from zproject.backends import password_auth_enabled
import DNS

SIGNUP_STRING = u'Your e-mail does not match any existing open organization. ' + \
                u'Use a different e-mail address, or contact %s with questions.' % (settings.ZULIP_ADMINISTRATOR,)
if settings.ZULIP_COM:
    SIGNUP_STRING = u'Your e-mail does not match any existing organization. <br />' + \
                    u"The zulip.com service is not taking new customer teams. <br /> " + \
                    u"<a href=\"https://blogs.dropbox.com/tech/2015/09/open-sourcing-zulip-a-dropbox-hack-week-project/\">Zulip is open source</a>, so you can install your own Zulip server " + \
                    u"by following the instructions on <a href=\"https://www.zulip.org\">www.zulip.org</a>!"

def has_valid_realm(value):
    # Checks if there is a realm without invite_required
    # matching the domain of the input e-mail.
    realm = get_realm(resolve_email_to_domain(value))
    return realm is not None and not realm.invite_required

def not_mit_mailing_list(value):
    # I don't want ec-discuss signed up for Zulip
    if "@mit.edu" in value:
        username = value.rsplit("@", 1)[0]
        # Check whether the user exists and can get mail.
        try:
            DNS.dnslookup("%s.pobox.ns.athena.mit.edu" % username, DNS.Type.TXT)
            return True
        except DNS.Base.ServerError as e:
            if e.rcode == DNS.Status.NXDOMAIN:
                raise ValidationError(mark_safe(u'That user does not exist at MIT or is a <a href="https://ist.mit.edu/email-lists">mailing list</a>. If you want to sign up an alias for Zulip, <a href="mailto:support@zulip.com">contact us</a>.'))
            else:
                raise
    return True

class RegistrationForm(forms.Form):
    full_name = forms.CharField(max_length=100)
    # The required-ness of the password field gets overridden if it isn't
    # actually required for a realm
    password = forms.CharField(widget=forms.PasswordInput, max_length=100,
                               required=False)
    if not settings.VOYAGER:
        terms = forms.BooleanField(required=True)


class ToSForm(forms.Form):
    full_name = forms.CharField(max_length=100)
    terms = forms.BooleanField(required=True)

class HomepageForm(forms.Form):
    # This form is important because it determines whether users can
    # register for our product. Be careful when modifying the
    # validators.
    email = forms.EmailField(validators=[is_inactive,])

    def __init__(self, *args, **kwargs):
        self.domain = kwargs.get("domain")
        if "domain" in kwargs:
            del kwargs["domain"]
        super(HomepageForm, self).__init__(*args, **kwargs)

    def clean_email(self):
        data = self.cleaned_data['email']
        if (get_unique_open_realm() or
            completely_open(self.domain) or
            (has_valid_realm(data) and not_mit_mailing_list(data))):
            return data
        raise ValidationError(mark_safe(SIGNUP_STRING))

class LoggingSetPasswordForm(SetPasswordForm):
    def save(self, commit=True):
        do_change_password(self.user, self.cleaned_data['new_password1'],
                           log=True, commit=commit)
        return self.user

class ZulipPasswordResetForm(PasswordResetForm):
    def get_users(self, email):
        """Given an email, return matching user(s) who should receive a reset.

        This is modified from the original in that it allows non-bot
        users who don't have a usable password to reset their
        passwords.
        """
        if not password_auth_enabled:
            logging.info("Password reset attempted for %s even though password auth is disabled." % (email,))
            return []
        result = UserProfile.objects.filter(email__iexact=email, is_active=True,
                                            is_bot=False)
        if len(result) == 0:
            logging.info("Password reset attempted for %s; no active account." % (email,))
        return result

class CreateUserForm(forms.Form):
    full_name = forms.CharField(max_length=100)
    email = forms.EmailField()

class OurAuthenticationForm(AuthenticationForm):
    def clean_username(self):
        email = self.cleaned_data['username']
        try:
            user_profile = get_user_profile_by_email(email)
        except UserProfile.DoesNotExist:
            return email

        if user_profile.realm.deactivated:
            error_msg = u"""Sorry for the trouble, but %s has been deactivated.

Please contact %s to reactivate this group.""" % (
                user_profile.realm.name,
                settings.ZULIP_ADMINISTRATOR)
            raise ValidationError(mark_safe(error_msg))

        return email
Enable absolute imports. See PEP 328[1] for details. This feature was introduced in Python 2.5 and will become mandatory in Python 3. [1]: http://www.python.org/dev/peps/pep-0328 (imported from commit 7444eeba8a08d5f91b94c7921848f2274979bd76) 2013-04-23 18:51:17 +02:00			`from __future__ import absolute_import`

Initial Django commit: basic account, zephyr stream, narrowing, etc. (imported from commit 3cd40521171a4020c19021eda0d20ee9f802af41) 2012-08-28 18:44:51 +02:00			`from django import forms`
Add a custom validator to ensure email uniqueness, include ommitted fields. Previously no check was performed to ensure that the same email wasn't used to register twice. Here we add a validator to perform that check. We also noted that the domain field was omitted, but checked by a client of this class. Therefore, we add it directly. (imported from commit 1411bf0adeb3cd048278376b059a26a0da4c54df) 2012-09-26 20:08:39 +02:00			`from django.core.exceptions import ValidationError`
Always allow registration if attempting to register for a non-MIT realm. (imported from commit 00489ab74c376a4ffb23ad661699ef31c6c06818) 2012-11-21 21:14:55 +01:00			`from django.utils.safestring import mark_safe`
Allow users who haven't set a password to set one. Previously, if a user had only authenticated via Google auth, they would be unable to reset their password in order to set one (which is needed to setup the mobile apps, for example). 2016-04-28 23:07:41 +02:00			`from django.contrib.auth.forms import SetPasswordForm, AuthenticationForm, \`
			`PasswordResetForm`
Don't make enterprise users agree to the ToS (imported from commit 2d01de949210a14edb5bef949d59a8495136ecac) 2013-11-13 23:23:37 +01:00			`from django.conf import settings`
Always allow registration if attempting to register for a non-MIT realm. (imported from commit 00489ab74c376a4ffb23ad661699ef31c6c06818) 2012-11-21 21:14:55 +01:00
Add logging for failures in password reset form. This may be useful for monitoring abuse issues. 2016-04-28 23:13:59 +02:00			`import logging`

Move domain validation from a form field validator to a data cleaning check. We need to be able to let a user through if they are trying to sign up for a completely open realm like CUSTOMER3. (imported from commit 1e33ab0ce94545f217739d501e9227dfb48e1123) 2013-08-07 17:59:45 +02:00			`from zerver.models import Realm, get_user_profile_by_email, UserProfile, \`
Fix support for having a unique, open realm. The previous implementation didn't work because HomepageForm rejected the email as not having a domain. Additionally, the logic in accounts_register didn't work with Google auth because that code path doesn't pass through accounts_home. Since whether there's a unique open realm for the server is effectively a configuration property, we can fix the bug and make the logic clearer by moving it into the "figure out the user's realm" function. 2015-12-28 21:37:24 +01:00			`completely_open, resolve_email_to_domain, get_realm, get_unique_open_realm`
[manual] Allow signups for emails held by non-MIT mirror dummy accounts. Before this is deployed to prod, we need to manually frob our database to set the is_mirror_dummy=True bit for all existing mirror users. (imported from commit 39f1938cef091cf1d7d97307f76b137fe1d92b6c) 2014-01-07 19:13:45 +01:00			`from zerver.lib.actions import do_change_password, is_inactive`
Don't prompt for a password if password auth is disabled (imported from commit d696c9f6de2008c177fa3282383257de15aaeb29) 2013-11-13 23:23:59 +01:00			`from zproject.backends import password_auth_enabled`
Allow any user with a @mit.edu to register for Zulip. We add a new validator that ensures that people who sign up with @mit.edu addresses are in fact MIT users. This closes #1612. (imported from commit 1e30794b1615dd57cb0e367d1fa186a877253357) 2013-08-12 00:47:28 +02:00			`import DNS`
Add a custom validator to ensure email uniqueness, include ommitted fields. Previously no check was performed to ensure that the same email wasn't used to register twice. Here we add a validator to perform that check. We also noted that the domain field was omitted, but checked by a client of this class. Therefore, we add it directly. (imported from commit 1411bf0adeb3cd048278376b059a26a0da4c54df) 2012-09-26 20:08:39 +02:00
Clarify on zulip.com signup form that we're not taking new teams. 2015-10-17 18:43:27 +02:00			`SIGNUP_STRING = u'Your e-mail does not match any existing open organization. ' + \`
			`u'Use a different e-mail address, or contact %s with questions.' % (settings.ZULIP_ADMINISTRATOR,)`
			`if settings.ZULIP_COM:`
			`SIGNUP_STRING = u'Your e-mail does not match any existing organization. <br />' + \`
			`u"The zulip.com service is not taking new customer teams. <br /> " + \`
			`u"<a href=\"https://blogs.dropbox.com/tech/2015/09/open-sourcing-zulip-a-dropbox-hack-week-project/\">Zulip is open source</a>, so you can install your own Zulip server " + \`
			`u"by following the instructions on <a href=\"https://www.zulip.org\">www.zulip.org</a>!"`
Always allow registration if attempting to register for a non-MIT realm. (imported from commit 00489ab74c376a4ffb23ad661699ef31c6c06818) 2012-11-21 21:14:55 +01:00
			`def has_valid_realm(value):`
Allow adding users to realms more easily in Dev VM. Include new field on Realm to control whether e-mail invitations are required separately from whether the e-mail domain must match. Allow control of these fields from admin panel. Update logic in registration page to use these fields. (imported from commit edc7f0a4c43b57361d9349e258ad4f217b426f88) 2015-08-20 02:38:32 +02:00			`# Checks if there is a realm without invite_required`
			`# matching the domain of the input e-mail.`
Fix has_valid_realm logic following get_realm refactor. 2015-10-17 18:41:06 +02:00			`realm = get_realm(resolve_email_to_domain(value))`
			`return realm is not None and not realm.invite_required`
Always allow registration if attempting to register for a non-MIT realm. (imported from commit 00489ab74c376a4ffb23ad661699ef31c6c06818) 2012-11-21 21:14:55 +01:00
Allow any user with a @mit.edu to register for Zulip. We add a new validator that ensures that people who sign up with @mit.edu addresses are in fact MIT users. This closes #1612. (imported from commit 1e30794b1615dd57cb0e367d1fa186a877253357) 2013-08-12 00:47:28 +02:00			`def not_mit_mailing_list(value):`
			`# I don't want ec-discuss signed up for Zulip`
			`if "@mit.edu" in value:`
			`username = value.rsplit("@", 1)[0]`
			`# Check whether the user exists and can get mail.`
			`try:`
			`DNS.dnslookup("%s.pobox.ns.athena.mit.edu" % username, DNS.Type.TXT)`
Allow open realm signups with non-real-user MIT addresses. This allows me to use a mail alias with CUSTOMER3, and closes #1671. (imported from commit 581d1145fb112b9d35ad522fa06f81a25b4b8d3b) 2013-08-12 00:55:24 +02:00			`return True`
Apply Python 3 futurize transform lib2to3.fixes.fix_except. 2015-11-01 17:08:33 +01:00			`except DNS.Base.ServerError as e:`
Allow any user with a @mit.edu to register for Zulip. We add a new validator that ensures that people who sign up with @mit.edu addresses are in fact MIT users. This closes #1612. (imported from commit 1e30794b1615dd57cb0e367d1fa186a877253357) 2013-08-12 00:47:28 +02:00			`if e.rcode == DNS.Status.NXDOMAIN:`
			`raise ValidationError(mark_safe(u'That user does not exist at MIT or is a <a href="https://ist.mit.edu/email-lists">mailing list</a>. If you want to sign up an alias for Zulip, <a href="mailto:support@zulip.com">contact us</a>.'))`
			`else:`
			`raise`
Allow open realm signups with non-real-user MIT addresses. This allows me to use a mail alias with CUSTOMER3, and closes #1671. (imported from commit 581d1145fb112b9d35ad522fa06f81a25b4b8d3b) 2013-08-12 00:55:24 +02:00			`return True`
Allow any user with a @mit.edu to register for Zulip. We add a new validator that ensures that people who sign up with @mit.edu addresses are in fact MIT users. This closes #1612. (imported from commit 1e30794b1615dd57cb0e367d1fa186a877253357) 2013-08-12 00:47:28 +02:00
Initial Django commit: basic account, zephyr stream, narrowing, etc. (imported from commit 3cd40521171a4020c19021eda0d20ee9f802af41) 2012-08-28 18:44:51 +02:00			`class RegistrationForm(forms.Form):`
[schema] Collect and display names and e-mail addresses. (imported from commit aa6bceb05fcd5b456c03288cbfed65b14050fe88) 2012-09-11 19:20:01 +02:00			`full_name = forms.CharField(max_length=100)`
Make password_auth_enabled() take a realm object This will actually be used in an upcoming commit. (imported from commit 5d3db685a245899b2523440398f2ed2f0cfec4f4) 2014-03-28 00:45:03 +01:00			`# The required-ness of the password field gets overridden if it isn't`
			`# actually required for a realm`
			`password = forms.CharField(widget=forms.PasswordInput, max_length=100,`
			`required=False)`
ENTERPRISE => VOYAGER. (imported from commit 4f8080b9f506a87ca40bef32e39de5218cba916a) 2015-08-21 11:24:18 +02:00			`if not settings.VOYAGER:`
Don't make enterprise users agree to the ToS (imported from commit 2d01de949210a14edb5bef949d59a8495136ecac) 2013-11-13 23:23:37 +01:00			`terms = forms.BooleanField(required=True)`
Implement confirmation for new user signups. We add a few templates for django-confirmation. We define a "PreregistrationForm" which is validated by accounts_home, which then generates a confirmation object and emails the user. This required creating a new table for a PreregistrationUser with an email and status (confirmed) field. The register function now no longer accepts a "email" field in the form and deals only with confirmation IDs to determine the email used to sign up a user. (imported from commit 4fcde04530aa7ad4de84579668daee7290b424ac) 2012-09-28 22:47:05 +02:00
Make password_auth_enabled() take a realm object This will actually be used in an upcoming commit. (imported from commit 5d3db685a245899b2523440398f2ed2f0cfec4f4) 2014-03-28 00:45:03 +01:00
Add alternative terms acceptance workflow. This view lives at /accounts/accept_terms, and (after getting an acceptance from the user) sends an email to all@ documenting the acceptance. (imported from commit 8f64286ab02887fd6544fa274b2967f6499b6dbc) 2013-01-08 23:26:40 +01:00			`class ToSForm(forms.Form):`
			`full_name = forms.CharField(max_length=100)`
			`terms = forms.BooleanField(required=True)`

Implement confirmation for new user signups. We add a few templates for django-confirmation. We define a "PreregistrationForm" which is validated by accounts_home, which then generates a confirmation object and emails the user. This required creating a new table for a PreregistrationUser with an email and status (confirmed) field. The register function now no longer accepts a "email" field in the form and deals only with confirmation IDs to determine the email used to sign up a user. (imported from commit 4fcde04530aa7ad4de84579668daee7290b424ac) 2012-09-28 22:47:05 +02:00			`class HomepageForm(forms.Form):`
Move domain validation from a form field validator to a data cleaning check. We need to be able to let a user through if they are trying to sign up for a completely open realm like CUSTOMER3. (imported from commit 1e33ab0ce94545f217739d501e9227dfb48e1123) 2013-08-07 17:59:45 +02:00			`# This form is important because it determines whether users can`
			`# register for our product. Be careful when modifying the`
			`# validators.`
Removed confusing ALLOW_REGISTER setting. ALLOW_REGISTER was no longer being used in determining whether you could register for the app, so I've removed it to avoid additional local-dev / production issues. This closes #1613. (imported from commit c928c6d350602d35f745ae1e60d734e4567885fc) 2013-08-12 00:57:54 +02:00			`email = forms.EmailField(validators=[is_inactive,])`
Log password change events via the password reset feature. (imported from commit bbec7074229e8779c81d439d4eef373b5dac9fa7) 2012-12-13 21:08:07 +01:00
Move domain validation from a form field validator to a data cleaning check. We need to be able to let a user through if they are trying to sign up for a completely open realm like CUSTOMER3. (imported from commit 1e33ab0ce94545f217739d501e9227dfb48e1123) 2013-08-07 17:59:45 +02:00			`def __init__(self, args, *kwargs):`
			`self.domain = kwargs.get("domain")`
Apply Python 3 futurize transform lib2to3.fixes.fix_has_key. 2015-11-01 17:10:01 +01:00			`if "domain" in kwargs:`
Move domain validation from a form field validator to a data cleaning check. We need to be able to let a user through if they are trying to sign up for a completely open realm like CUSTOMER3. (imported from commit 1e33ab0ce94545f217739d501e9227dfb48e1123) 2013-08-07 17:59:45 +02:00			`del kwargs["domain"]`
			`super(HomepageForm, self).__init__(args, *kwargs)`

			`def clean_email(self):`
			`data = self.cleaned_data['email']`
Fix support for having a unique, open realm. The previous implementation didn't work because HomepageForm rejected the email as not having a domain. Additionally, the logic in accounts_register didn't work with Google auth because that code path doesn't pass through accounts_home. Since whether there's a unique open realm for the server is effectively a configuration property, we can fix the bug and make the logic clearer by moving it into the "figure out the user's realm" function. 2015-12-28 21:37:24 +01:00			`if (get_unique_open_realm() or`
			`completely_open(self.domain) or`
			`(has_valid_realm(data) and not_mit_mailing_list(data))):`
Move domain validation from a form field validator to a data cleaning check. We need to be able to let a user through if they are trying to sign up for a completely open realm like CUSTOMER3. (imported from commit 1e33ab0ce94545f217739d501e9227dfb48e1123) 2013-08-07 17:59:45 +02:00			`return data`
Clarify on zulip.com signup form that we're not taking new teams. 2015-10-17 18:43:27 +02:00			`raise ValidationError(mark_safe(SIGNUP_STRING))`
Move domain validation from a form field validator to a data cleaning check. We need to be able to let a user through if they are trying to sign up for a completely open realm like CUSTOMER3. (imported from commit 1e33ab0ce94545f217739d501e9227dfb48e1123) 2013-08-07 17:59:45 +02:00
Log password change events via the password reset feature. (imported from commit bbec7074229e8779c81d439d4eef373b5dac9fa7) 2012-12-13 21:08:07 +01:00			`class LoggingSetPasswordForm(SetPasswordForm):`
			`def save(self, commit=True):`
[manual] Authenticate using a user_profile as request.user. When this is deployed to staging, we need to run ./manage.py logout_all_users --realm=humbughq.com When this is deployed to prod, we need to run ./manage.py logout_all_users (imported from commit d6c6ea4b1c347f3d9122742db23c7b67767a7349) 2013-03-29 17:39:53 +01:00			`do_change_password(self.user, self.cleaned_data['new_password1'],`
Log password change events via the password reset feature. (imported from commit bbec7074229e8779c81d439d4eef373b5dac9fa7) 2012-12-13 21:08:07 +01:00			`log=True, commit=commit)`
			`return self.user`
Add json queries for creating and fetching user bots (imported from commit f745a705dedca66cf671ef19d7bc5f46ce70a306) 2013-05-03 00:26:53 +02:00
Allow users who haven't set a password to set one. Previously, if a user had only authenticated via Google auth, they would be unable to reset their password in order to set one (which is needed to setup the mobile apps, for example). 2016-04-28 23:07:41 +02:00			`class ZulipPasswordResetForm(PasswordResetForm):`
			`def get_users(self, email):`
			`"""Given an email, return matching user(s) who should receive a reset.`

			`This is modified from the original in that it allows non-bot`
			`users who don't have a usable password to reset their`
			`passwords.`
			`"""`
			`if not password_auth_enabled:`
Add logging for failures in password reset form. This may be useful for monitoring abuse issues. 2016-04-28 23:13:59 +02:00			`logging.info("Password reset attempted for %s even though password auth is disabled." % (email,))`
Allow users who haven't set a password to set one. Previously, if a user had only authenticated via Google auth, they would be unable to reset their password in order to set one (which is needed to setup the mobile apps, for example). 2016-04-28 23:07:41 +02:00			`return []`
Add logging for failures in password reset form. This may be useful for monitoring abuse issues. 2016-04-28 23:13:59 +02:00			`result = UserProfile.objects.filter(email__iexact=email, is_active=True,`
			`is_bot=False)`
			`if len(result) == 0:`
			`logging.info("Password reset attempted for %s; no active account." % (email,))`
			`return result`
Allow users who haven't set a password to set one. Previously, if a user had only authenticated via Google auth, they would be unable to reset their password in order to set one (which is needed to setup the mobile apps, for example). 2016-04-28 23:07:41 +02:00
Add admin API endpoint for creating users. (imported from commit a8b919c7d21b28dfd75b6b95736a375874ead15f) 2013-12-09 22:26:10 +01:00			`class CreateUserForm(forms.Form):`
Add json queries for creating and fetching user bots (imported from commit f745a705dedca66cf671ef19d7bc5f46ce70a306) 2013-05-03 00:26:53 +02:00			`full_name = forms.CharField(max_length=100)`
			`email = forms.EmailField()`
Show users in deactivated realms an error page when they try to log in. (imported from commit 6de839ae944b8c76715361c2211cd759d78f4f1a) 2014-01-07 19:51:18 +01:00
			`class OurAuthenticationForm(AuthenticationForm):`
			`def clean_username(self):`
			`email = self.cleaned_data['username']`
			`try:`
			`user_profile = get_user_profile_by_email(email)`
			`except UserProfile.DoesNotExist:`
Fix OurAuthenticationForm return value for invalid accounts. (imported from commit 10461554bec5d86d2ab768177762f11cd905e0f3) 2014-01-09 16:27:01 +01:00			`return email`
Show users in deactivated realms an error page when they try to log in. (imported from commit 6de839ae944b8c76715361c2211cd759d78f4f1a) 2014-01-07 19:51:18 +01:00
			`if user_profile.realm.deactivated:`
			`error_msg = u"""Sorry for the trouble, but %s has been deactivated.`

Use settings.ZULIP_ADMINISTRATOR as contact list for deactivated users. 2015-09-30 02:58:50 +02:00			`Please contact %s to reactivate this group.""" % (`
			`user_profile.realm.name,`
			`settings.ZULIP_ADMINISTRATOR)`
Show users in deactivated realms an error page when they try to log in. (imported from commit 6de839ae944b8c76715361c2211cd759d78f4f1a) 2014-01-07 19:51:18 +01:00			`raise ValidationError(mark_safe(error_msg))`

			`return email`