* A user's password can be verified by POSTing to .../user/<id>/login. The

   data must contain a single parameter `cleartext_password` and if this
   matches, a 204 (No Content) will be returned, otherwise a 403 (Forbidden)
   is returned.  (LP: #1065447)

1 files changed, 22 insertions, 0 deletions

diff --git a/src/mailman/rest/users.py b/src/mailman/rest/users.py
index a7847f438..b67233f28 100644
--- a/src/mailman/rest/users.py
+++ b/src/mailman/rest/users.py
@@ -228,3 +228,25 @@ class AUser(_UserBase):
         except ValueError as error:
             return http.bad_request([], str(error))
         return no_content()
+
+    @resource.child('login')
+    def login(self, request, segments):
+        """Log the user in, sort of, by verifying a given password."""
+        #import pdb; pdb.set_trace()
+        if self._user is None:
+            return http.not_found()
+        # We do not want to encrypt the plaintext password given in the POST
+        # data.  That would hash the password, but we need to have the
+        # plaintext in order to pass into passlib.
+        validator = Validator(cleartext_password=GetterSetter(unicode))
+        try:
+            values = validator(request)
+        except ValueError as error:
+            return http.bad_request([], str(error))
+        is_valid, new_hash = config.password_context.verify(
+            values['cleartext_password'], self._user.password)
+        if is_valid:
+            if new_hash is not None:
+                self._user.password = new_hash
+            return no_content()
+        return http.forbidden()