[#640] Restrict access to password-change from backend

maykinmedia · May 27, 2022 · 22473eb · 22473eb
1 parent 8b704fa
commit 22473eb
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/src/open_inwoner/accounts/views/auth.py b/src/open_inwoner/accounts/views/auth.py
@@ -1,3 +1,4 @@
+from django.contrib.auth.mixins import UserPassesTestMixin
 from django.contrib.auth.views import (
     PasswordChangeView,
     PasswordResetConfirmView,
@@ -7,10 +8,14 @@
 
 from open_inwoner.utils.views import LogMixin
 
+from ..choices import LoginTypeChoices
 from ..forms import CustomPasswordResetForm
 
 
-class LogPasswordChangeView(LogMixin, PasswordChangeView):
+class LogPasswordChangeView(UserPassesTestMixin, LogMixin, PasswordChangeView):
+    def test_func(self):
+        return self.request.user.login_type == LoginTypeChoices.default
+
     def form_valid(self, form):
         response = super().form_valid(form)