[password-resets] Don't ever generate a token for usernames in protected group

[Andrea Veri <averi src gnome org>]

commit 55273d99e48c2c55daf892a2463422026dd39a05
Author: Andrea Veri <averi redhat com>
Date:   Mon Nov 23 17:02:26 2020 +0100

    Don't ever generate a token for usernames in protected group

 app.py | 37 ++++++++++++++++++-------------------
 1 file changed, 18 insertions(+), 19 deletions(-)
---
diff --git a/app.py b/app.py
index 068e01a..c9f7d61 100644
--- a/app.py
+++ b/app.py
@@ -54,21 +54,26 @@ def form_post(request: Request, username: str = Form(...)):
 
     mail = glu.get_attributes_from_ldap(username, 'mail')
     if mail:
-        tokens = Session.query(Token.username, Token.expired, 
Token.claimed).filter(Token.username==username, Token.expired==0, Token.claimed==0)
-        if len(list(tokens)) == 1:
-            Session.remove()
+        from itertools import chain
+        infrateam = chain(glu.get_group_from_ldap('accounts'), glu.get_group_from_ldap('sysadmin'), \
+                          glu.get_group_from_ldap('admins'))
+
+        if username not in infrateam:
+            tokens = Session.query(Token.username, Token.expired, 
Token.claimed).filter(Token.username==username, Token.expired==0, Token.claimed==0)
+            if len(list(tokens)) == 1:
+                Session.remove()
 
-            return templates.TemplateResponse('general-form.html', context={'request': request, 'badtoken': 
True})
+                return templates.TemplateResponse('general-form.html', context={'request': request, 
'badtoken': True})
 
-        date = datetime.datetime.now()
-        token = secrets.token_hex(16)
+            date = datetime.datetime.now()
+            token = secrets.token_hex(16)
 
-        _token = Token(username, token, 0, 0, date)
-        Session.add(_token)
-        Session.commit()
-        Session.remove()
+            _token = Token(username, token, 0, 0, date)
+            Session.add(_token)
+            Session.commit()
+            Session.remove()
 
-        send_email(mail.decode('utf-8'), token)
+            send_email(mail.decode('utf-8'), token)
 
     return templates.TemplateResponse('general-form.html', context={'request': request, 'submitted': True})
 
@@ -78,14 +83,8 @@ def form_reset_get(request: Request, token: str):
 
     if t:
         if not (t.claimed or t.expired):
-            from itertools import chain
-
-            infrateam = chain(glu.get_group_from_ldap('accounts'), glu.get_group_from_ldap('sysadmin'), \
-                              glu.get_group_from_ldap('admins'))
-
-            if t.username not in infrateam:
-                Session.remove()
-                return templates.TemplateResponse('form-reset.html', context={'request': request})
+            Session.remove()
+            return templates.TemplateResponse('form-reset.html', context={'request': request})
 
     Session.remove()
     return templates.TemplateResponse('general-form.html', context={'request': request, 'badtoken': True})