Merge branch '551_blocked_accounts_login_attempts' into 'master'

Notify blocked account user of a successful login attempt and re-activation account steps Closes #551 See merge request !331

Merge branch '551_blocked_accounts_login_attempts' into 'master'
Notify blocked account user of a successful login attempt and re-activation account steps Closes #551 See merge request !331
1c8cd555 · Samuel GAIST · ee15fdd5 · 1c0d7c3e · 1c8cd555 · 1c8cd555
Commit 1c8cd555 authored May 26, 2020 by Samuel GAIST
3 changed files
--- a/beat/web/ui/registration/templates/registration/mail.blocked_user_access_attempt.message.txt
+++ b/beat/web/ui/registration/templates/registration/mail.blocked_user_access_attempt.message.txt
+Dear {{ user.first_name }} {{ user.last_name }} (username:{{ user.username }}),
+
+This is to inform you that a successful login attempt has been made on your personal account
+at the Idiap Research Institute's Biometric Evaluation and Testing (BEAT) platform. If this wasn't an
+action from you, we advise you to contact an admin of the platform or to re-activate your account as
+explained below and change your password.
+
+If this was a valid attempt and you actually tried to login, we remind you that your account
+is currently blocked as no valid supervison is in place for your account at the moment.
+This is mandatory in order to use the platform.
+Please go to the following page and provide a valid supervisor who could accept your supervision request:
+{{ prefix }}{% url 'blocked_user_reactivation' %}
+
+BEAT Administrators at the Idiap Research Institute
--- a/beat/web/ui/registration/templates/registration/mail.blocked_user_access_attempt.subject.txt
+++ b/beat/web/ui/registration/templates/registration/mail.blocked_user_access_attempt.subject.txt
+Access attempt on your personal blocked account
--- a/beat/web/ui/views.py
+++ b/beat/web/ui/views.py
@@ -79,6 +79,33 @@ def index(request):
 def login(request):
    """Login page"""

+    if request.method == "POST":
+        authentication_match = False
+        try:
+            user = User.objects.get(username=request.POST["username"])
+        except User.DoesNotExist:
+            # No specific action is required here
+            # Possible future step: DOS/DDOS Brute-Force attack detection
+            pass
+        else:
+            authentication_match = user.check_password(request.POST["password"])
+
+            if authentication_match and user.profile.status == Profile.BLOCKED:
+                parsed_url = urlparse(settings.URL_PREFIX)
+                server_address = "%s://%s" % (parsed_url.scheme, parsed_url.hostname,)
+
+                context = {
+                    "user": user,
+                    "prefix": server_address,
+                }
+
+                mail.send_email(
+                    "registration/mail.blocked_user_access_attempt.subject.txt",
+                    "registration/mail.blocked_user_access_attempt.message.txt",
+                    context,
+                    [user.email],
+                )
+
    response = django_login(request)
    if request.user.is_authenticated():
        path = request.GET.get("next", "/")