[ui][views] Inform blocked account user of successful login attempts

Fixes #551

[ui][views] Inform blocked account user of successful login attempts
Fixes #551
1c0d7c3e · Flavio TARSETTI · 6fe859b8 · 1c0d7c3e · 1c0d7c3e
Commit 1c0d7c3e authored May 20, 2020 by Flavio TARSETTI
Showing with 29 additions and 2 deletions

beat/web/ui/registration/templates/registration/mail.blocked_user_access_attempt.message.txt ...registration/mail.blocked_user_access_attempt.message.txt +2 -2

beat/web/ui/views.py beat/web/ui/views.py +27 -0

No files found.
--- a/beat/web/ui/registration/templates/registration/mail.blocked_user_access_attempt.message.txt
+++ b/beat/web/ui/registration/templates/registration/mail.blocked_user_access_attempt.message.txt
 Dear {{ user.first_name }} {{ user.last_name }} (username:{{ user.username }}),

-This is to inform you that a successful login attempt has been made on your personal blocked account
+This is to inform you that a successful login attempt has been made on your personal account
 at the Idiap Research Institute's Biometric Evaluation and Testing (BEAT) platform. If this wasn't an
 action from you, we advise you to contact an admin of the platform or to re-activate your account as
 explained below and change your password.

 If this was a valid attempt and you actually tried to login, we remind you that your account
-is currently blocked as no valid supervison is in place for you account at the moment.
+is currently blocked as no valid supervison is in place for your account at the moment.
 This is mandatory in order to use the platform.
 Please go to the following page and provide a valid supervisor who could accept your supervision request:
 {{ prefix }}{% url 'blocked_user_reactivation' %}

--- a/beat/web/ui/views.py
+++ b/beat/web/ui/views.py
@@ -79,6 +79,33 @@ def index(request):
 def login(request):
    """Login page"""

+    if request.method == "POST":
+        authentication_match = False
+        try:
+            user = User.objects.get(username=request.POST["username"])
+        except User.DoesNotExist:
+            # No specific action is required here
+            # Possible future step: DOS/DDOS Brute-Force attack detection
+            pass
+        else:
+            authentication_match = user.check_password(request.POST["password"])
+
+            if authentication_match and user.profile.status == Profile.BLOCKED:
+                parsed_url = urlparse(settings.URL_PREFIX)
+                server_address = "%s://%s" % (parsed_url.scheme, parsed_url.hostname,)
+
+                context = {
+                    "user": user,
+                    "prefix": server_address,
+                }
+
+                mail.send_email(
+                    "registration/mail.blocked_user_access_attempt.subject.txt",
+                    "registration/mail.blocked_user_access_attempt.message.txt",
+                    context,
+                    [user.email],
+                )
+
    response = django_login(request)
    if request.user.is_authenticated():
        path = request.GET.get("next", "/")