fix(site-login): remove permission roles

- use `ignore_permission` instead
frappe · Feb 17, 2025 · 8b72f66 · 8b72f66
1 parent c66c3e1
commit 8b72f66
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 61 deletions.
diff --git a/dashboard/src2/pages/SiteLogin.vue b/dashboard/src2/pages/SiteLogin.vue
@@ -102,9 +102,9 @@
 						v-if="sites.fetched"
 						class="mt-4"
 						@click="goBack"
-						icon-right="arrow-left"
+						icon-right="log-out"
 						variant="ghost"
-						label="Login from another account"
+						label="Log out"
 					/>
 					<Button
 						class="mt-4"

diff --git a/press/api/site_login.py b/press/api/site_login.py
@@ -87,7 +87,7 @@ def get_product_sites_of_user(user: str):
 
 
 @frappe.whitelist(allow_guest=True)
-@rate_limit(limit=5, seconds=60)
+@rate_limit(limit=5, seconds=60 * 5)
 def send_otp(email: str):
 	"""
 	Send OTP to the user trying to login to the product site from /site-login page
@@ -97,7 +97,7 @@ def send_otp(email: str):
 	if last_otp and (frappe.utils.now_datetime() - last_otp).seconds < 30:
 		return frappe.throw("Please wait for 30 seconds before sending the OTP again")
 
-	session = frappe.get_doc({"doctype": "Site User Session", "user": email}).insert()
+	session = frappe.get_doc({"doctype": "Site User Session", "user": email}).insert(ignore_permissions=True)
 	return session.send_otp()
 
 
@@ -108,12 +108,28 @@ def verify_otp(email: str, otp: str):
 	Verify OTP
 	"""
 
-	session_name = frappe.db.get_value("Site User Session", {"user": email}, "name")
-	if not session_name:
+	session = frappe.db.get_value(
+		"Site User Session", {"user": email}, ["name", "session_id", "otp", "otp_generated_at"], as_dict=True
+	)
+	if not session:
 		return frappe.throw("Invalid session")
 
-	session = frappe.get_doc("Site User Session", session_name)
-	return session.verify_otp(otp)
+	if not session.otp:
+		return frappe.throw("OTP is not set")
+
+	if (frappe.utils.now_datetime() - session.otp_generated_at).seconds > 300:
+		return frappe.throw("OTP is expired")
+
+	if session.otp != otp:
+		return frappe.throw("Invalid OTP")
+
+	frappe.db.set_value("Site User Session", session.name, {"otp": None, "verified": 1})
+
+	five_days_in_seconds = 5 * 24 * 60 * 60
+	frappe.local.cookie_manager.set_cookie(
+		"site_user_sid", session.session_id, max_age=five_days_in_seconds, httponly=True
+	)
+	return session.session_id
 
 
 @frappe.whitelist(allow_guest=True)
@@ -126,7 +142,7 @@ def login_to_site(email: str, site: str):
 	if not session_id or not isinstance(session_id, str):
 		if frappe.session.user == "Guest":
 			return frappe.throw("Invalid session")
-		frappe.get_doc({"doctype": "Site User Session", "user": email}).insert()
+		frappe.get_doc({"doctype": "Site User Session", "user": email}).insert(ignore_permissions=True)
 
 	site_user_name = frappe.db.get_value("Site User", {"user": email, "site": site}, "name")
 	if not site_user_name:

diff --git a/press/press/doctype/site_user_session/site_user_session.json b/press/press/doctype/site_user_session/site_user_session.json
@@ -41,7 +41,7 @@
  ],
  "index_web_pages_for_search": 1,
  "links": [],
- "modified": "2025-02-17 11:15:58.900520",
+ "modified": "2025-02-17 12:19:46.639929",
  "modified_by": "Administrator",
  "module": "Press",
  "name": "Site User Session",
@@ -58,36 +58,6 @@
    "role": "System Manager",
    "share": 1,
    "write": 1
-  },
-  {
-   "create": 1,
-   "email": 1,
-   "export": 1,
-   "print": 1,
-   "report": 1,
-   "role": "Press Admin",
-   "share": 1,
-   "write": 1
-  },
-  {
-   "create": 1,
-   "email": 1,
-   "export": 1,
-   "print": 1,
-   "report": 1,
-   "role": "Press Member",
-   "share": 1,
-   "write": 1
-  },
-  {
-   "create": 1,
-   "email": 1,
-   "export": 1,
-   "print": 1,
-   "report": 1,
-   "role": "Guest",
-   "share": 1,
-   "write": 1
   }
  ],
  "sort_field": "creation",

diff --git a/press/press/doctype/site_user_session/site_user_session.py b/press/press/doctype/site_user_session/site_user_session.py
@@ -59,24 +59,3 @@ def send_otp(self):
 			args=args,
 			now=True,
 		)
-
-	def verify_otp(self, otp):
-		"""Verify OTP for site login."""
-
-		if not self.otp:
-			return frappe.throw("OTP is not set")
-
-		if (frappe.utils.now_datetime() - self.otp_generated_at).seconds > 300:
-			return frappe.throw("OTP is expired")
-
-		if self.otp != otp:
-			return frappe.throw("Invalid OTP")
-		self.otp = None
-		self.verified = 1
-		self.save()
-
-		five_days_in_seconds = 5 * 24 * 60 * 60
-		frappe.local.cookie_manager.set_cookie(
-			"site_user_sid", self.session_id, max_age=five_days_in_seconds, httponly=True
-		)
-		return self.session_id