enforce password change if password is changeme

2025-05-27 15:13:36 +02:00
parent 071b8ca2aa
commit 149487195b
12 changed files with 132 additions and 42 deletions
--- a/routes/conversations.py
+++ b/routes/conversations.py
@@ -3,6 +3,7 @@ from flask_login import login_required, current_user
 from flask_socketio import emit, join_room, leave_room
 from models import db, Conversation, User, Message, MessageAttachment
 from forms import ConversationForm
+from routes.auth import require_password_change
 import os
 from werkzeug.utils import secure_filename
 from datetime import datetime
@@ -44,6 +45,7 @@ def get_file_extension(filename):

@conversations_bp.route('/')
@login_required
+@require_password_change
 def conversations():
    search = request.args.get('search', '').strip()
    if current_user.is_admin:
@@ -57,6 +59,7 @@ def conversations():

@conversations_bp.route('/create', methods=['GET', 'POST'])
@login_required
+@require_password_change
 def create_conversation():
    if not current_user.is_admin:
        flash('Only administrators can create conversations.', 'error')
@@ -89,6 +92,7 @@ def create_conversation():

@conversations_bp.route('/<int:conversation_id>')
@login_required
+@require_password_change
 def conversation(conversation_id):
    conversation = Conversation.query.get_or_404(conversation_id)
    # Check if user is a member
@@ -109,6 +113,7 @@ def conversation(conversation_id):

@conversations_bp.route('/<int:conversation_id>/members')
@login_required
+@require_password_change
 def conversation_members(conversation_id):
    conversation = Conversation.query.get_or_404(conversation_id)
    if not current_user.is_admin and current_user not in conversation.members:
@@ -126,6 +131,7 @@ def conversation_members(conversation_id):

@conversations_bp.route('/<int:conversation_id>/members/add', methods=['POST'])
@login_required
+@require_password_change
 def add_member(conversation_id):
    conversation = Conversation.query.get_or_404(conversation_id)
    if not current_user.is_admin:
@@ -149,6 +155,7 @@ def add_member(conversation_id):

@conversations_bp.route('/<int:conversation_id>/members/<int:user_id>/remove', methods=['POST'])
@login_required
+@require_password_change
 def remove_member(conversation_id, user_id):
    conversation = Conversation.query.get_or_404(conversation_id)
    if not current_user.is_admin:
@@ -170,6 +177,7 @@ def remove_member(conversation_id, user_id):

@conversations_bp.route('/<int:conversation_id>/edit', methods=['GET', 'POST'])
@login_required
+@require_password_change
 def edit_conversation(conversation_id):
    if not current_user.is_admin:
        flash('Only administrators can edit conversations.', 'error')
@@ -213,6 +221,7 @@ def edit_conversation(conversation_id):

@conversations_bp.route('/<int:conversation_id>/delete', methods=['POST'])
@login_required
+@require_password_change
 def delete_conversation(conversation_id):
    if not current_user.is_admin:
        flash('Only administrators can delete conversations.', 'error')
@@ -251,6 +260,7 @@ def on_leave(data):

@conversations_bp.route('/<int:conversation_id>/send_message', methods=['POST'])
@login_required
+@require_password_change
 def send_message(conversation_id):
    conversation = Conversation.query.get_or_404(conversation_id)
    
@@ -331,6 +341,7 @@ def send_message(conversation_id):

@conversations_bp.route('/messages/<int:message_id>/attachment/<int:attachment_index>')
@login_required
+@require_password_change
 def download_attachment(message_id, attachment_index):
    message = Message.query.get_or_404(message_id)
    conversation = message.conversation
@@ -353,6 +364,7 @@ def download_attachment(message_id, attachment_index):

@conversations_bp.route('/<int:conversation_id>/messages')
@login_required
+@require_password_change
 def get_messages(conversation_id):
    conversation = Conversation.query.get_or_404(conversation_id)