# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-import uuid
-import datetime
+import logging
+
+import six
+
+from itsdangerous import BadSignature
from mediagoblin import messages, mg_globals
-from mediagoblin.db.models import User
+from mediagoblin.db.models import User, Privilege
+from mediagoblin.tools.crypto import get_timed_signer_url
+from mediagoblin.decorators import auth_enabled, allow_registration
from mediagoblin.tools.response import render_to_response, redirect, render_404
from mediagoblin.tools.translate import pass_to_ugettext as _
-from mediagoblin.auth import lib as auth_lib
-from mediagoblin.auth import forms as auth_forms
-from mediagoblin.auth.lib import send_fp_verification_email
-from mediagoblin.auth.tools import send_verification_email
-from sqlalchemy import or_
+from mediagoblin.tools.mail import email_debug_message
+from mediagoblin.tools.pluginapi import hook_handle
+from mediagoblin.auth.tools import (send_verification_email, register_user,
+ check_login_simple)
-def email_debug_message(request):
- """
- If the server is running in email debug mode (which is
- the current default), give a debug message to the user
- so that they have an idea where to find their email.
- """
- if mg_globals.app_config['email_debug_mode']:
- # DEBUG message, no need to translate
- messages.add_message(request, messages.DEBUG,
- u"This instance is running in email debug mode. "
- u"The email will be on the console of the server process.")
+_log = logging.getLogger(__name__)
+@allow_registration
+@auth_enabled
def register(request):
"""The registration view.
Note that usernames will always be lowercased. Email domains are lowercased while
the first part remains case-sensitive.
"""
- # Redirects to indexpage if registrations are disabled
- if not mg_globals.app_config["allow_registration"]:
- messages.add_message(
- request,
- messages.WARNING,
- _('Sorry, registration is disabled on this instance.'))
- return redirect(request, "index")
+ if 'pass_auth' not in request.template_env.globals:
+ redirect_name = hook_handle('auth_no_pass_redirect')
+ if redirect_name:
+ return redirect(request, 'mediagoblin.plugins.{0}.register'.format(
+ redirect_name))
+ else:
+ return redirect(request, 'index')
- register_form = auth_forms.RegistrationForm(request.form)
+ register_form = hook_handle("auth_get_registration_form", request)
if request.method == 'POST' and register_form.validate():
# TODO: Make sure the user doesn't exist already
- users_with_username = User.query.filter_by(username=register_form.data['username']).count()
- users_with_email = User.query.filter_by(email=register_form.data['email']).count()
-
- extra_validation_passes = True
-
- if users_with_username:
- register_form.username.errors.append(
- _(u'Sorry, a user with that name already exists.'))
- extra_validation_passes = False
- if users_with_email:
- register_form.email.errors.append(
- _(u'Sorry, a user with that email address already exists.'))
- extra_validation_passes = False
-
- if extra_validation_passes:
- # Create the user
- user = User()
- user.username = register_form.data['username']
- user.email = register_form.data['email']
- user.pw_hash = auth_lib.bcrypt_gen_password_hash(
- register_form.password.data)
- user.verification_key = unicode(uuid.uuid4())
- user.save()
-
- # log the user in
- request.session['user_id'] = unicode(user.id)
- request.session.save()
-
- # send verification email
- email_debug_message(request)
- send_verification_email(user, request)
+ user = register_user(request, register_form)
+ if user:
# redirect the user to their homepage... there will be a
# message waiting for them to verify their email
return redirect(
return render_to_response(
request,
'mediagoblin/auth/register.html',
- {'register_form': register_form})
+ {'register_form': register_form,
+ 'post_url': request.urlgen('mediagoblin.auth.register')})
+@auth_enabled
def login(request):
"""
MediaGoblin login view.
If you provide the POST with 'next', it'll redirect to that view.
"""
- login_form = auth_forms.LoginForm(request.form)
+ if 'pass_auth' not in request.template_env.globals:
+ redirect_name = hook_handle('auth_no_pass_redirect')
+ if redirect_name:
+ return redirect(request, 'mediagoblin.plugins.{0}.login'.format(
+ redirect_name))
+ else:
+ return redirect(request, 'index')
+
+ login_form = hook_handle("auth_get_login_form", request)
login_failed = False
if request.method == 'POST':
- username = login_form.data['username']
-
if login_form.validate():
- user = User.query.filter(
- or_(
- User.username == username,
- User.email == username,
-
- )).first()
+ user = check_login_simple(
+ login_form.username.data,
+ login_form.password.data)
- if user and user.check_login(login_form.password.data):
+ if user:
# set up login in session
- request.session['user_id'] = unicode(user.id)
+ if login_form.stay_logged_in.data:
+ request.session['stay_logged_in'] = True
+ request.session['user_id'] = six.text_type(user.id)
request.session.save()
if request.form.get('next'):
else:
return redirect(request, "index")
- # Some failure during login occured if we are here!
- # Prevent detecting who's on this system by testing login
- # attempt timings
- auth_lib.fake_login_attempt()
login_failed = True
+ remote_addr = request.access_route[-1] or request.remote_addr
+ _log.warn("Failed login attempt from %r", remote_addr)
return render_to_response(
request,
{'login_form': login_form,
'next': request.GET.get('next') or request.form.get('next'),
'login_failed': login_failed,
+ 'post_url': request.urlgen('mediagoblin.auth.login'),
'allow_registration': mg_globals.app_config["allow_registration"]})
you are lucky :)
"""
# If we don't have userid and token parameters, we can't do anything; 404
- if not 'userid' in request.GET or not 'token' in request.GET:
+ if not 'token' in request.GET:
return render_404(request)
- user = User.query.filter_by(id=request.args['userid']).first()
+ # Catch error if token is faked or expired
+ try:
+ token = get_timed_signer_url("mail_verification_token") \
+ .loads(request.GET['token'], max_age=10*24*3600)
+ except BadSignature:
+ messages.add_message(
+ request,
+ messages.ERROR,
+ _('The verification key or user id is incorrect.'))
+
+ return redirect(
+ request,
+ 'index')
+
+ user = User.query.filter_by(id=int(token)).first()
- if user and user.verification_key == unicode(request.GET['token']):
- user.status = u'active'
- user.email_verified = True
+ if user and user.has_privilege(u'active') is False:
user.verification_key = None
+ user.all_privileges.append(
+ Privilege.query.filter(
+ Privilege.privilege_name==u'active').first())
user.save()
return redirect(request, 'mediagoblin.auth.login')
- if request.user.email_verified:
+ if request.user.has_privilege(u'active'):
messages.add_message(
request,
messages.ERROR,
_("You've already verified your email address!"))
- return redirect(request, "mediagoblin.user_pages.user_home", user=request.user['username'])
-
- request.user.verification_key = unicode(uuid.uuid4())
- request.user.save()
+ return redirect(request, "mediagoblin.user_pages.user_home", user=request.user.username)
email_debug_message(request)
send_verification_email(request.user, request)
return redirect(
request, 'mediagoblin.user_pages.user_home',
user=request.user.username)
-
-
-def forgot_password(request):
- """
- Forgot password view
-
- Sends an email with an url to renew forgotten password.
- Use GET querystring parameter 'username' to pre-populate the input field
- """
- fp_form = auth_forms.ForgotPassForm(request.form,
- username=request.args.get('username'))
-
- if not (request.method == 'POST' and fp_form.validate()):
- # Either GET request, or invalid form submitted. Display the template
- return render_to_response(request,
- 'mediagoblin/auth/forgot_password.html', {'fp_form': fp_form})
-
- # If we are here: method == POST and form is valid. username casing
- # has been sanitized. Store if a user was found by email. We should
- # not reveal if the operation was successful then as we don't want to
- # leak if an email address exists in the system.
- found_by_email = '@' in fp_form.username.data
-
- if found_by_email:
- user = User.query.filter_by(
- email = fp_form.username.data).first()
- # Don't reveal success in case the lookup happened by email address.
- success_message=_("If that email address (case sensitive!) is "
- "registered an email has been sent with instructions "
- "on how to change your password.")
-
- else: # found by username
- user = User.query.filter_by(
- username = fp_form.username.data).first()
-
- if user is None:
- messages.add_message(request,
- messages.WARNING,
- _("Couldn't find someone with that username."))
- return redirect(request, 'mediagoblin.auth.forgot_password')
-
- success_message=_("An email has been sent with instructions "
- "on how to change your password.")
-
- if user and not(user.email_verified and user.status == 'active'):
- # Don't send reminder because user is inactive or has no verified email
- messages.add_message(request,
- messages.WARNING,
- _("Could not send password recovery email as your username is in"
- "active or your account's email address has not been verified."))
-
- return redirect(request, 'mediagoblin.user_pages.user_home',
- user=user.username)
-
- # SUCCESS. Send reminder and return to login page
- if user:
- user.fp_verification_key = unicode(uuid.uuid4())
- user.fp_token_expire = datetime.datetime.now() + \
- datetime.timedelta(days=10)
- user.save()
-
- email_debug_message(request)
- send_fp_verification_email(user, request)
-
- messages.add_message(request, messages.INFO, success_message)
- return redirect(request, 'mediagoblin.auth.login')
-
-
-def verify_forgot_password(request):
- """
- Check the forgot-password verification and possibly let the user
- change their password because of it.
- """
- # get form data variables, and specifically check for presence of token
- formdata = _process_for_token(request)
- if not formdata['has_userid_and_token']:
- return render_404(request)
-
- formdata_token = formdata['vars']['token']
- formdata_userid = formdata['vars']['userid']
- formdata_vars = formdata['vars']
-
- # check if it's a valid user id
- user = User.query.filter_by(id=formdata_userid).first()
- if not user:
- return render_404(request)
-
- # check if we have a real user and correct token
- if ((user and user.fp_verification_key and
- user.fp_verification_key == unicode(formdata_token) and
- datetime.datetime.now() < user.fp_token_expire
- and user.email_verified and user.status == 'active')):
-
- cp_form = auth_forms.ChangePassForm(formdata_vars)
-
- if request.method == 'POST' and cp_form.validate():
- user.pw_hash = auth_lib.bcrypt_gen_password_hash(
- cp_form.password.data)
- user.fp_verification_key = None
- user.fp_token_expire = None
- user.save()
-
- messages.add_message(
- request,
- messages.INFO,
- _("You can now log in using your new password."))
- return redirect(request, 'mediagoblin.auth.login')
- else:
- return render_to_response(
- request,
- 'mediagoblin/auth/change_fp.html',
- {'cp_form': cp_form})
-
- # in case there is a valid id but no user with that id in the db
- # or the token expired
- else:
- return render_404(request)
-
-
-def _process_for_token(request):
- """
- Checks for tokens in formdata without prior knowledge of request method
-
- For now, returns whether the userid and token formdata variables exist, and
- the formdata variables in a hash. Perhaps an object is warranted?
- """
- # retrieve the formdata variables
- if request.method == 'GET':
- formdata_vars = request.GET
- else:
- formdata_vars = request.form
-
- formdata = {
- 'vars': formdata_vars,
- 'has_userid_and_token':
- 'userid' in formdata_vars and 'token' in formdata_vars}
-
- return formdata