many small fixes

uffd/selfservice/templates/forgot_password.html

@@ -11,11 +11,11 @@
 			<h2 class="text-center">Forgot password</h2>
 		</div>
 		<div class="form-group col-12">
-			<label for="user-loginname">login name</label>
+			<label for="user-loginname">Login Name</label>
 			<input type="text" class="form-control" id="user-loginname" name="loginname" required="required" tabindex = "1">
 		</div>
 		<div class="form-group col-12">
-			<label for="user-mail">mail address</label>
+			<label for="user-mail">Mail Address</label>
 			<input type="text" class="form-control" id="user-mail" name="mail" required="required" tabindex = "2">
 		</div>
 		<div class="form-group col-12">

uffd/selfservice/templates/mailverification.mail.txt

 Hi {{ user.displayname }},
 
 you have requested to change your mail address.
-To do so, visit this url: {{ url_for('selfservice.self_token_mail', token=token, _external=True) }} 
+To confirm the change, please visit this URL: {{ url_for('selfservice.self_token_mail', token=token, _external=True) }} 
 **Please note this link is only valid for 48h**
 
-If you did not request a mail address change, you should change your password asap because somebody else logged in and requested this.
-
 Kind regards,
 uffd

uffd/selfservice/templates/self.html

 {% extends 'base.html' %}
 
 {% block body %}
-<form action="{{ url_for(".self_update") }}" method="POST"
-	onInput="password2.setCustomValidity(password1.value != password2.value ? 'Passwords do not match.' : ''); password1.setCustomValidity(password1.value.length < 8 ? 'Password is too short' : '')">
+<form action="{{ url_for(".self_update") }}" method="POST" onInput="
+	password2.setCustomValidity(password1.value != password2.value ? 'Passwords do not match.' : '');
+	password1.setCustomValidity((password1.value.length < 8 || password1.value.length == 0) ? 'Password is too short' : '') ">
 <div class="align-self-center row">
 	<div class="form-group col-md-6">
-		<label for="user-uid">uid</label>
+		<label for="user-uid">Uid</label>
 		<input type="number" class="form-control" id="user-uid" name="uid" value="{{ user.uid }}" readonly>
 	</div>
 	<div class="form-group col-md-6">
-		<label for="user-loginname">login name</label>
+		<label for="user-loginname">Login Name</label>
 		<input type="text" class="form-control" id="user-loginname" name="loginname" value="{{ user.loginname }}" readonly>
 	</div>
 	<div class="form-group col-md-6">
-		<label for="user-displayname">display name</label>
+		<label for="user-displayname">Display Name</label>
 		<input type="text" class="form-control" id="user-displayname" name="displayname" value="{{ user.displayname }}">
 	</div>
 	<div class="form-group col-md-6">
-		<label for="user-mail">mail</label>
+		<label for="user-mail">Mail</label>
 		<input type="email" class="form-control" id="user-mail" name="mail" value="{{ user.mail }}">
 		<small class="form-text text-muted">
+			We will sent you a confirmation mail to set a new mail address.
 		</small>
 	</div>
 	<div class="form-group col-md-6">
-		<label for="user-password1">password</label>
-		<input type="password" class="form-control" id="user-password1" name="password1" placeholder="do not change">
+		<label for="user-password1">Password</label>
+		<input type="password" class="form-control" id="user-password1" name="password1" placeholder="●●●●●●●●">
 		<small class="form-text text-muted">
 			At least 8 characters, no other special requirements. But please don't be stupid and use a password manager.
 		</small>
 	</div>
 	<div class="form-group col-md-6">
-		<label for="user-password2">password repeat</label>
-		<input type="password" class="form-control" id="user-password2" name="password2" placeholder="do not change">
+		<label for="user-password2">Password Repeat</label>
+		<input type="password" class="form-control" id="user-password2" name="password2" placeholder="●●●●●●●●">
 	</div>
 	<div class="form-group col-md-12">
 		<button type="submit" class="btn btn-primary float-right"><i class="fa fa-save" aria-hidden="true"></i> Save</button>

uffd/selfservice/templates/set_password.html

@@ -11,15 +11,14 @@
 			<h2 class="text-center">Reset password</h2>
 		</div>
 		<div class="form-group col-12">
-			<label for="user-loginname">login name</label>
-			<input type="text" class="form-control" id="user-loginname" name="loginname" required="required" tabindex = "1">
-		</div>
-		<div class="form-group col-12">
-			<label for="user-password1">new password</label>
+			<label for="user-password1">New Password</label>
 			<input type="password" class="form-control" id="user-password1" name="password1" required="required" tabindex = "2">
+			<small class="form-text text-muted">
+				At least 8 characters, no other special requirements. But please don't be stupid and use a password manager.
+			</small>
 		</div>
 		<div class="form-group col-12">
-			<label for="user-password2">new password again</label>
+			<label for="user-password2">Repeat Password</label>
 			<input type="password" class="form-control" id="user-password2" name="password2" required="required" tabindex = "2">
 		</div>
 		<div class="form-group col-12">

uffd/selfservice/views.py

@@ -2,6 +2,7 @@ import datetime
 
 import smtplib
 from email.message import EmailMessage
+import email.utils
 
 from flask import Blueprint, render_template, request, url_for, redirect, flash, current_app
 
@@ -68,19 +69,18 @@ def self_token_password(token):
 			session.delete(dbtoken)
 			session.commit()
 		return redirect(url_for('session.login'))
-	if not 'loginname' in request.values:
-		flash('Please set a new password.')
+	if request.method == 'GET':
 		return render_template('set_password.html', token=token)
-	if not request.values['loginname'] == dbtoken.loginname:
-		flash('That is not the correct login name for this token. Your token is now invalide. Please start the password reset process again')
-		session.delete(dbtoken)
-		session.commit()
-		return redirect(url_for('session.login'))
 	if not request.values['password1']:
-		flash('Please specify a new password.')
+		flash('You need to set a password, please try again.')
+		return render_template('set_password.html', token=token)
+	if not request.values['password1'] == request.values['password2']:
+		flash('Passwords do not match, please try again.')
 		return render_template('set_password.html', token=token)
 	user = User.from_ldap_dn(loginname_to_dn(dbtoken.loginname))
-	user.set_password(request.values['password1'])
+	if not user.set_password(request.values['password1']):
+		flash('Password ist not valid, please try again.')
+		return render_template('set_password.html', token=token)
 	user.to_ldap()
 	flash('New password set')
 	session.delete(dbtoken)
@@ -149,5 +149,7 @@ def send_mail(to_address, msg):
 	server.login(current_app.config['MAIL_USERNAME'], current_app.config['MAIL_PASSWORD'])
 	msg['From'] = current_app.config['MAIL_FROM_ADDRESS']
 	msg['To'] = to_address
+	msg['Date']     = email.utils.formatdate(localtime = 1)
+	msg['Message-ID'] = email.utils.make_msgid()
 	server.send_message(msg)
 	server.quit()

uffd/session/templates/login.html

 {% extends 'base.html' %}
 
 {% block body %}
-<form action="{{ url_for(".login") }}" method="POST">
+<form action="{{ url_for(".login", ref=ref) }}" method="POST">
 <div class="row mt-2 justify-content-center">
 	<div class="col-lg-6 col-md-10" style="background: #f7f7f7; box-shadow: 0px 2px 2px rgba(0, 0, 0, 0.3); padding: 30px;">
 		<div class="text-center">
@@ -11,11 +11,11 @@
 			<h2 class="text-center">Login</h2>
 		</div>
 		<div class="form-group col-12">
-			<label for="user-loginname">login name</label>
+			<label for="user-loginname">Login Name</label>
 			<input type="text" class="form-control" id="user-loginname" name="loginname" required="required" tabindex = "1">
 		</div>
 		<div class="form-group col-12">
-			<label for="user-password1">password</label>
+			<label for="user-password1">Password</label>
 			<input type="password" class="form-control" id="user-password1" name="password" required="required" tabindex = "2">
 		</div>
 		<div class="form-group col-12">

uffd/session/views.py

@@ -17,7 +17,7 @@ def logout():
 @bp.route("/login", methods=('GET', 'POST'))
 def login():
 	if request.method == 'GET':
-		return render_template('login.html')
+		return render_template('login.html', ref=request.values.get('ref'))
 
 	username = request.form['loginname']
 	password = request.form['password']
@@ -28,11 +28,11 @@ def login():
 	conn.search(conn.user, '(objectClass=person)')
 	if not len(conn.entries) == 1:
 		flash('Login name or password is wrong')
-		return redirect(url_for('.login'))
+		return render_template('login.html', ref=request.values.get('ref'))
 	user = User.from_ldap(conn.entries[0])
 	if not user.is_in_group(current_app.config['ACL_SELFSERVICE_GROUP']):
 		flash('You do not have access to this service')
-		return redirect(url_for('.login'))
+		return render_template('login.html', ref=request.values.get('ref'))
 	session['user_uid'] = user.uid
 	session['logintime'] = datetime.datetime.now().timestamp()
 	session['_csrf_token'] = secrets.token_hex(128)

uffd/user/templates/user.html

@@ -12,30 +12,30 @@
 		{% endif %}
 	</div>
 	<div class="form-group col">
-		<label for="user-loginname">login name</label>
+		<label for="user-loginname">Login Name</label>
 		<input type="text" class="form-control" id="user-loginname" name="loginname" value="{{ user.loginname }}" {% if user.uid %}readonly{% endif %}>
 		<small class="form-text text-muted">
 			Only letters, numbers and underscore ("_") are allowed. At most 32, at least 2 characters. There is a word blacklist. Musst be unique.
 		</small>
 	</div>
 	<div class="form-group col">
-		<label for="user-loginname">display name</label>
+		<label for="user-loginname">Display Name</label>
 		<input type="text" class="form-control" id="user-displayname" name="displayname" value="{{ user.displayname }}">
 		<small class="form-text text-muted">
 			If you leave this empty it will be set to the login name. At most 128, at least 2 characters. No character restrictions.
 		</small>
 	</div>
 	<div class="form-group col">
-		<label for="user-mail">mail</label>
+		<label for="user-mail">Mail</label>
 		<input type="email" class="form-control" id="user-mail" name="mail" value="{{ user.mail }}">
 		<small class="form-text text-muted">
 			Do a sanity check here. A user can take over another account if both have the same mail address set.
 		</small>
 	</div>
 	<div class="form-group col">
-		<label for="user-loginname">password</label>
+		<label for="user-loginname">Password</label>
 		{% if user.uid %}
-		<input type="password" class="form-control" id="user-password" name="password" placeholder="do not change">
+		<input type="password" class="form-control" id="user-password" name="password" placeholder="●●●●●●●●">
 		{% else %}
 		<input type="password" class="form-control" id="user-password" name="password" placeholder="mail to set it will be sent" readonly>
 		{% endif %}
@@ -95,7 +95,7 @@
 	{% endif %}
 	<div class="form-group col">
 		<button type="submit" class="btn btn-primary"><i class="fa fa-save" aria-hidden="true"></i> Save</button>
-		<a href="{{ url_for(".user_list") }}" class="btn btn-secondary">Cancle</a>
+		<a href="{{ url_for(".user_list") }}" class="btn btn-secondary">Cancel</a>
 		{% if user.uid %}
 			<a href="{{ url_for(".user_delete", uid=user.uid) }}" class="btn btn-danger"><i class="fa fa-trash" aria-hidden="true"></i> Delete</a>
 		{% else %}

uffd/user/templates/user_list.html

@@ -37,9 +37,6 @@
 							<a href="{{ url_for(".user_show", uid=user.uid) }}" class="btn btn-primary">
 								<i class="fa fa-edit" aria-hidden="true"></i> Edit
 							</a>
-							<a href="{{ url_for(".user_delete", uid=user.uid) }}" class="btn btn-danger">
-								<i class="fa fa-trash" aria-hidden="true"></i> Delete
-							</a>
 						</p>
 					</td>
 				</tr>

uffd/user/views.py

@@ -53,16 +53,18 @@ def user_update(uid=False):
 		user = User()
 		if not user.set_loginname(request.form['loginname']):
 			flash('Login name does not meet requirements')
-			return url_for('.user_show')
+			return redirect(url_for('.user_show'))
 	else:
 		conn.search(current_app.config["LDAP_BASE_USER"], '(&(objectclass=person)(uidNumber={}))'.format((escape_filter_chars(uid))))
 		assert len(conn.entries) == 1
 		user = User.from_ldap(conn.entries[0])
-	user.mail = request.form['mail']
+	if not user.set_mail(request.form['mail']):
+		flash('Mail is invalide.')
+		return redirect(url_for('.user_show'))
 	new_displayname = request.form['displayname'] if request.form['displayname'] else request.form['loginname']
 	if not user.set_displayname(new_displayname):
 		flash('Display name does not meet requirements')
-		return url_for('.user_show')
+		return redirect(url_for('.user_show'))
 	new_password = request.form.get('password')
 	if new_password and not is_newuser:
 		user.set_password(new_password)