From 0cc42588645615d5c19fee1a2cdbc7f7b25159bc Mon Sep 17 00:00:00 2001
From: Petr Jasek <jasekpetr@gmail.com>
Date: Fri, 27 Oct 2023 08:42:01 +0200
Subject: [PATCH] fix password reset not working on custom cp reset page

- avoid checking permissions when storing the token

CPCN-434
---
 .github/workflows/lint.yml | 18 ++++++++++++------
 newsroom/auth/utils.py     |  2 +-
 newsroom/users/users.py    |  4 ----
 3 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 272d2a8a0..373881ab6 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -7,23 +7,29 @@ jobs:
   flake8:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
+        with:
+          python-version: '3.10'
       - run: pip install flake8
       - run: flake8
 
   mypy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
+        with:
+          python-version: '3.10'
       - run: pip install -Ur mypy-requirements.txt
       - run: mypy .
 
   black:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
+        with:
+          python-version: '3.10'
       - run: pip install black~=23.0
       - run: black --check .
diff --git a/newsroom/auth/utils.py b/newsroom/auth/utils.py
index 0a3242d70..306d8449d 100644
--- a/newsroom/auth/utils.py
+++ b/newsroom/auth/utils.py
@@ -138,7 +138,7 @@ def send_token(user, token_type="validate", update_token=True):
         if update_token:
             updates = {}
             add_token_data(updates)
-            superdesk.get_resource_service("users").patch(id=bson.ObjectId(user["_id"]), updates=updates)
+            superdesk.get_resource_service("users").system_update(bson.ObjectId(user["_id"]), updates, user)
             token = updates["token"]
 
         if token_type == "validate":
diff --git a/newsroom/users/users.py b/newsroom/users/users.py
index ed0731a0a..09987e844 100644
--- a/newsroom/users/users.py
+++ b/newsroom/users/users.py
@@ -365,10 +365,6 @@ def check_permissions(self, doc, updates=None):
                 elif request and request.method == "DELETE" and doc.get("_id") != manager.get("_id"):
                     return
 
-        if request.url_rule and request.url_rule.rule:
-            if request.url_rule.rule in ["/reset_password/<token>", "/token/<token_type>"]:
-                return
-
         if request.method != "DELETE" and (
             not updated_fields or all([key in USER_PROFILE_UPDATES for key in updated_fields])
         ):