Raise PermissionDenied if anon user tries to access create_password (#…

…4371) Also: * Add some missing user string translations. * Update locale. * Remove Tamil translation since it contains a number of formatting errors.
HyphaApp · Feb 3, 2025 · 00ff332 · 00ff332
1 parent 7c84ee8
commit 00ff332
Show file tree

Hide file tree

Showing 4 changed files with 376 additions and 7,925 deletions.
diff --git a/hypha/apply/users/views.py b/hypha/apply/users/views.py
@@ -207,7 +207,7 @@ def account_email_change(request):
 
     # alert email
     request.user.email_user(
-        subject="Alert! An attempt to update your email.",
+        subject=_("Alert! An attempt to update your email."),
         message=render_to_string(
             "users/email_change/update_info_email.html",
             {
@@ -265,7 +265,10 @@ def get(self, request, *args, **kwargs):
                 user.email = email
                 user.save()
                 messages.success(
-                    request, _(f"Your email has been successfully updated to {email}!")
+                    request,
+                    _("Your email has been successfully updated to {email}!").format(
+                        email=email
+                    ),
                 )
             return redirect("users:account")
 
@@ -339,18 +342,21 @@ def create_password(request):
     """
     redirect_url = get_redirect_url(request, redirect_field="next")
 
+    if request.user.is_anonymous:
+        raise PermissionDenied()
+
     if request.method == "POST":
         form = AdminPasswordChangeForm(request.user, request.POST)
 
         if form.is_valid():
             user = form.save()
             update_session_auth_hash(request, user)  # Important!
-            messages.success(request, "Your password was successfully updated!")
+            messages.success(request, _("Your password was successfully updated!"))
             if redirect_url:
                 return redirect(redirect_url)
             return redirect("users:account")
         else:
-            messages.error(request, "Please correct the errors below.")
+            messages.error(request, _("Please correct the errors below."))
     else:
         form = AdminPasswordChangeForm(request.user)
 
@@ -731,7 +737,9 @@ def send_confirm_access_email_view(request):
         "user": request.user,
         "timeout_minutes": settings.PASSWORDLESS_LOGIN_TIMEOUT // 60,
     }
-    subject = "Confirmation code for {org_long_name}: {token}".format(**email_context)
+    subject = _("Confirmation code for {org_long_name}: {token}").format(
+        **email_context
+    )
     email = MarkdownMail("users/emails/confirm_access.md")
     email.send(
         to=request.user.email,
@@ -790,7 +798,7 @@ def set_password_view(request):
             email_template="users/emails/set_password.txt",
             email_subject_template="users/emails/set_password_subject.txt",
         )
-        return HttpResponse("✓ Check your email for password set link.")
+        return HttpResponse(_("✓ Check your email for password set link."))
 
 
 @never_cache