1 # GNU MediaGoblin -- federated, autonomous media hosting
2 # Copyright (C) 2011 Free Software Foundation, Inc
4 # This program is free software: you can redistribute it and/or modify
5 # it under the terms of the GNU Affero General Public License as published by
6 # the Free Software Foundation, either version 3 of the License, or
7 # (at your option) any later version.
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU Affero General Public License for more details.
14 # You should have received a copy of the GNU Affero General Public License
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
22 from mediagoblin
import messages
23 from mediagoblin
import mg_globals
24 from mediagoblin
.util
import render_to_response
, redirect
, render_404
25 from mediagoblin
.util
import pass_to_ugettext
as _
26 from mediagoblin
.db
.util
import ObjectId
, InvalidId
27 from mediagoblin
.auth
import lib
as auth_lib
28 from mediagoblin
.auth
import forms
as auth_forms
29 from mediagoblin
.auth
.lib
import send_verification_email
, \
30 send_fp_verification_email
33 def register(request
):
35 Your classic registration view!
37 # Redirects to indexpage if registrations are disabled
38 if not mg_globals
.app_config
["allow_registration"]:
42 _('Sorry, registration is disabled on this instance.'))
43 return redirect(request
, "index")
45 register_form
= auth_forms
.RegistrationForm(request
.POST
)
47 if request
.method
== 'POST' and register_form
.validate():
48 # TODO: Make sure the user doesn't exist already
50 users_with_username
= request
.db
.User
.find(
51 {'username': request
.POST
['username'].lower()}).count()
52 users_with_email
= request
.db
.User
.find(
53 {'email': request
.POST
['email'].lower()}).count()
55 extra_validation_passes
= True
57 if users_with_username
:
58 register_form
.username
.errors
.append(
59 _(u
'Sorry, a user with that name already exists.'))
60 extra_validation_passes
= False
62 register_form
.email
.errors
.append(
63 _(u
'Sorry, that email address has already been taken.'))
64 extra_validation_passes
= False
66 if extra_validation_passes
:
68 user
= request
.db
.User()
69 user
['username'] = request
.POST
['username'].lower()
70 user
['email'] = request
.POST
['email'].lower()
71 user
['pw_hash'] = auth_lib
.bcrypt_gen_password_hash(
72 request
.POST
['password'])
73 user
.save(validate
=True)
76 request
.session
['user_id'] = unicode(user
['_id'])
77 request
.session
.save()
79 # send verification email
80 send_verification_email(user
, request
)
82 # redirect the user to their homepage... there will be a
83 # message waiting for them to verify their email
85 request
, 'mediagoblin.user_pages.user_home',
86 user
=user
['username'])
88 return render_to_response(
90 'mediagoblin/auth/register.html',
91 {'register_form': register_form
})
96 MediaGoblin login view.
98 If you provide the POST with 'next', it'll redirect to that view.
100 login_form
= auth_forms
.LoginForm(request
.POST
)
104 if request
.method
== 'POST' and login_form
.validate():
105 user
= request
.db
.User
.one(
106 {'username': request
.POST
['username'].lower()})
108 if user
and user
.check_login(request
.POST
['password']):
109 # set up login in session
110 request
.session
['user_id'] = unicode(user
['_id'])
111 request
.session
.save()
113 if request
.POST
.get('next'):
114 return exc
.HTTPFound(location
=request
.POST
['next'])
116 return redirect(request
, "index")
119 # Prevent detecting who's on this system by testing login
121 auth_lib
.fake_login_attempt()
124 return render_to_response(
126 'mediagoblin/auth/login.html',
127 {'login_form': login_form
,
128 'next': request
.GET
.get('next') or request
.POST
.get('next'),
129 'login_failed': login_failed
,
130 'allow_registration': mg_globals
.app_config
["allow_registration"]})
134 # Maybe deleting the user_id parameter would be enough?
135 request
.session
.delete()
137 return redirect(request
, "index")
140 def verify_email(request
):
142 Email verification view
144 validates GET parameters against database and unlocks the user account, if
147 # If we don't have userid and token parameters, we can't do anything; 404
148 if not request
.GET
.has_key('userid') or not request
.GET
.has_key('token'):
149 return render_404(request
)
151 user
= request
.db
.User
.find_one(
152 {'_id': ObjectId(unicode(request
.GET
['userid']))})
154 if user
and user
['verification_key'] == unicode(request
.GET
['token']):
155 user
['status'] = u
'active'
156 user
['email_verified'] = True
158 messages
.add_message(
161 _("Your email address has been verified. "
162 "You may now login, edit your profile, and submit images!"))
164 messages
.add_message(
167 _('The verification key or user id is incorrect'))
170 request
, 'mediagoblin.user_pages.user_home',
171 user
=user
['username'])
174 def resend_activation(request
):
176 The reactivation view
178 Resend the activation email.
180 request
.user
['verification_key'] = unicode(uuid
.uuid4())
183 send_verification_email(request
.user
, request
)
185 messages
.add_message(
188 _('Resent your verification email.'))
190 request
, 'mediagoblin.user_pages.user_home',
191 user
=request
.user
['username'])
194 def forgot_password(request
):
198 Sends an email whit an url to renew forgoten password
200 fp_form
= auth_forms
.ForgotPassForm(request
.POST
)
202 if request
.method
== 'POST' and fp_form
.validate():
203 user
= request
.db
.User
.one(
204 {'$or': [{'username': request
.POST
['username']},
205 {'email': request
.POST
['username']}]})
208 user
['fp_verification_key'] = unicode(uuid
.uuid4())
209 user
['fp_token_expire'] = datetime
.datetime
.now() + \
210 datetime
.timedelta(days
=10)
213 send_fp_verification_email(user
, request
)
215 # do not reveal whether or not there is a matching user, just move along
216 return redirect(request
, 'mediagoblin.auth.fp_email_sent')
218 return render_to_response(
220 'mediagoblin/auth/forgot_password.html',
221 {'fp_form': fp_form
})
224 def verify_forgot_password(request
):
225 # get session variables, and specifically check for presence of token
226 mysession
= _process_for_token(request
)
227 if not mysession
['token_complete']:
228 return render_404(request
)
230 session_token
= mysession
['vars']['token']
231 session_userid
= mysession
['vars']['userid']
232 session_vars
= mysession
['vars']
234 # check if it's a valid Id
236 user
= request
.db
.User
.find_one(
237 {'_id': ObjectId(unicode(session_userid
))})
239 return render_404(request
)
241 # check if we have a real user and correct token
242 if (user
and user
['fp_verification_key'] == unicode(session_token
) and
243 datetime
.datetime
.now() < user
['fp_token_expire']):
244 cp_form
= auth_forms
.ChangePassForm(session_vars
)
246 if request
.method
== 'POST' and cp_form
.validate():
247 user
['pw_hash'] = auth_lib
.bcrypt_gen_password_hash(
248 request
.POST
['password'])
249 user
['fp_verification_key'] = None
250 user
['fp_token_expire'] = None
253 return redirect(request
, 'mediagoblin.auth.fp_changed_success')
255 return render_to_response(request
,
256 'mediagoblin/auth/change_fp.html',
257 {'cp_form': cp_form
})
258 # in case there is a valid id but no user whit that id in the db
259 # or the token expired
261 return render_404(request
)
264 def _process_for_token(request
):
266 Checks for tokens in session without prior knowledge of request method
268 For now, returns whether the userid and token session variables exist, and
269 the session variables in a hash. Perhaps an object is warranted?
271 # retrieve the session variables
272 if request
.method
== 'GET':
273 session_vars
= request
.GET
275 session_vars
= request
.POST
277 mysession
= {'vars': session_vars
,
278 'token_complete': session_vars
.has_key('userid') and
279 session_vars
.has_key('token')}