user.email = email
user.pw_hash = auth_lib.bcrypt_gen_password_hash(
request.POST['password'])
+ user.verification_key = unicode(uuid.uuid4())
user.save(validate=True)
# log the user in
user = request.db.User.find_one(
{'_id': ObjectId(unicode(request.GET['userid']))})
- if user and user['verification_key'] == unicode(request.GET['token']):
+ if user and user.verification_key == unicode(request.GET['token']):
user.status = u'active'
user.email_verified = True
- user[u'verification_key'] = None
+ user.verification_key = None
user.save()
return redirect(request, "mediagoblin.user_pages.user_home", user=request.user['username'])
- request.user[u'verification_key'] = unicode(uuid.uuid4())
+ request.user.verification_key = unicode(uuid.uuid4())
request.user.save()
email_debug_message(request)
"""
Forgot password view
- Sends an email whit an url to renew forgoten password
+ Sends an email with an url to renew forgotten password
"""
fp_form = auth_forms.ForgotPassForm(request.POST)
if request.method == 'POST' and fp_form.validate():
- # Here, so it doesn't depend on the actual mail being sent
- # and thus doesn't reveal, wether mail was sent.
- email_debug_message(request)
-
# '$or' not available till mongodb 1.5.3
user = request.db.User.find_one(
{'username': request.POST['username']})
if user:
if user.email_verified and user.status == 'active':
- user[u'fp_verification_key'] = unicode(uuid.uuid4())
- user[u'fp_token_expire'] = datetime.datetime.now() + \
+ user.fp_verification_key = unicode(uuid.uuid4())
+ user.fp_token_expire = datetime.datetime.now() + \
datetime.timedelta(days=10)
user.save()
send_fp_verification_email(user, request)
+
+ messages.add_message(
+ request,
+ messages.INFO,
+ _("An email has been sent with instructions on how to "
+ "change your password."))
+ email_debug_message(request)
+
else:
# special case... we can't send the email because the
# username is inactive / hasn't verified their email
return redirect(
request, 'mediagoblin.user_pages.user_home',
user=user.username)
-
- # do not reveal whether or not there is a matching user
- return redirect(request, 'mediagoblin.auth.fp_email_sent')
+ return redirect(request, 'mediagoblin.auth.login')
+ else:
+ messages.add_message(
+ request,
+ messages.WARNING,
+ _("Couldn't find someone with that username or email."))
+ return redirect(request, 'mediagoblin.auth.forgot_password')
return render_to_response(
request,
return render_404(request)
# check if we have a real user and correct token
- if ((user and user['fp_verification_key'] and
- user['fp_verification_key'] == unicode(formdata_token) and
- datetime.datetime.now() < user['fp_token_expire']
+ if ((user and user.fp_verification_key and
+ user.fp_verification_key == unicode(formdata_token) and
+ datetime.datetime.now() < user.fp_token_expire
and user.email_verified and user.status == 'active')):
cp_form = auth_forms.ChangePassForm(formdata_vars)
if request.method == 'POST' and cp_form.validate():
user.pw_hash = auth_lib.bcrypt_gen_password_hash(
request.POST['password'])
- user[u'fp_verification_key'] = None
- user[u'fp_token_expire'] = None
+ user.fp_verification_key = None
+ user.fp_token_expire = None
user.save()
return redirect(request, 'mediagoblin.auth.fp_changed_success')