X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=mediagoblin%2Fauth%2Fviews.py;h=d01861d1221137b383066950e088b6a97dccf20d;hb=04b0b7a124130fe4db082c419e6f44a5a212ffab;hp=48c5937ceb5183cfb8423a613a0450664a944036;hpb=7dc3a66f924c734cbee68677e84f5b656eefe280;p=mediagoblin.git

diff --git a/mediagoblin/auth/views.py b/mediagoblin/auth/views.py
index 48c5937c..d01861d1 100644
--- a/mediagoblin/auth/views.py
+++ b/mediagoblin/auth/views.py
@@ -1,5 +1,5 @@
 # GNU MediaGoblin -- federated, autonomous media hosting
-# Copyright (C) 2011 Free Software Foundation, Inc
+# Copyright (C) 2011 MediaGoblin contributors.  See AUTHORS.
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Affero General Public License as published by
@@ -15,17 +15,32 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import uuid
+import datetime
 
 from webob import exc
 
 from mediagoblin import messages
 from mediagoblin import mg_globals
-from mediagoblin.util import render_to_response, redirect, render_404
-from mediagoblin.util import pass_to_ugettext as _
-from mediagoblin.db.util import ObjectId
+from mediagoblin.tools.response import render_to_response, redirect, render_404
+from mediagoblin.tools.translate import pass_to_ugettext as _
+from mediagoblin.db.util import ObjectId, InvalidId
 from mediagoblin.auth import lib as auth_lib
 from mediagoblin.auth import forms as auth_forms
-from mediagoblin.auth.lib import send_verification_email
+from mediagoblin.auth.lib import send_verification_email, \
+                                 send_fp_verification_email
+
+
+def email_debug_message(request):
+    """
+    If the server is running in email debug mode (which is
+    the current default), give a debug message to the user
+    so that they have an idea where to find their email.
+    """
+    if mg_globals.app_config['email_debug_mode']:
+        # DEBUG message, no need to translate
+        messages.add_message(request, messages.DEBUG,
+            u"This instance is running in email debug mode. "
+            u"The email will be on the console of the server process.")
 
 
 def register(request):
@@ -59,7 +74,7 @@ def register(request):
             extra_validation_passes = False
         if users_with_email:
             register_form.email.errors.append(
-                _(u'Sorry, that email address has already been taken.'))
+                _(u'Sorry, a user with that email address already exists.'))
             extra_validation_passes = False
 
         if extra_validation_passes:
@@ -72,10 +87,11 @@ def register(request):
             user.save(validate=True)
 
             # log the user in
-            request.session['user_id'] = unicode(user['_id'])
+            request.session['user_id'] = unicode(user._id)
             request.session.save()
 
             # send verification email
+            email_debug_message(request)
             send_verification_email(user, request)
 
             # redirect the user to their homepage... there will be a
@@ -106,7 +122,7 @@ def login(request):
 
         if user and user.check_login(request.POST['password']):
             # set up login in session
-            request.session['user_id'] = unicode(user['_id'])
+            request.session['user_id'] = unicode(user._id)
             request.session.save()
 
             if request.POST.get('next'):
@@ -144,16 +160,19 @@ def verify_email(request):
     you are lucky :)
     """
     # If we don't have userid and token parameters, we can't do anything; 404
-    if not request.GET.has_key('userid') or not request.GET.has_key('token'):
+    if not 'userid' in request.GET or not 'token' in request.GET:
         return render_404(request)
 
     user = request.db.User.find_one(
         {'_id': ObjectId(unicode(request.GET['userid']))})
 
     if user and user['verification_key'] == unicode(request.GET['token']):
-        user['status'] = u'active'
-        user['email_verified'] = True
+        user[u'status'] = u'active'
+        user[u'email_verified'] = True
+        user[u'verification_key'] = None
+
         user.save()
+
         messages.add_message(
             request,
             messages.SUCCESS,
@@ -176,9 +195,27 @@ def resend_activation(request):
 
     Resend the activation email.
     """
-    request.user['verification_key'] = unicode(uuid.uuid4())
-    request.user.save()
 
+    if request.user is None:
+        messages.add_message(
+            request,
+            messages.ERROR,
+            _('You must be logged in so we know who to send the email to!'))
+        
+        return redirect(request, 'mediagoblin.auth.login')
+
+    if request.user["email_verified"]:
+        messages.add_message(
+            request,
+            messages.ERROR,
+            _("You've already verified your email address!"))
+        
+        return redirect(request, "mediagoblin.user_pages.user_home", user=request.user['username'])
+
+    request.user[u'verification_key'] = unicode(uuid.uuid4())
+    request.user.save()
+    
+    email_debug_message(request)
     send_verification_email(request.user, request)
 
     messages.add_message(
@@ -188,3 +225,125 @@ def resend_activation(request):
     return redirect(
         request, 'mediagoblin.user_pages.user_home',
         user=request.user['username'])
+
+
+def forgot_password(request):
+    """
+    Forgot password view
+
+    Sends an email whit an url to renew forgoten password
+    """
+    fp_form = auth_forms.ForgotPassForm(request.POST)
+
+    if request.method == 'POST' and fp_form.validate():
+
+        # Here, so it doesn't depend on the actual mail being sent
+        # and thus doesn't reveal, wether mail was sent.
+        email_debug_message(request)
+
+        # '$or' not available till mongodb 1.5.3
+        user = request.db.User.find_one(
+            {'username': request.POST['username']})
+        if not user:
+            user = request.db.User.find_one(
+                {'email': request.POST['username']})
+
+        if user:
+            if user['email_verified'] and user['status'] == 'active':
+                user[u'fp_verification_key'] = unicode(uuid.uuid4())
+                user[u'fp_token_expire'] = datetime.datetime.now() + \
+                                          datetime.timedelta(days=10)
+                user.save()
+
+                send_fp_verification_email(user, request)
+            else:
+                # special case... we can't send the email because the
+                # username is inactive / hasn't verified their email
+                messages.add_message(
+                    request,
+                    messages.WARNING,
+                    _("Could not send password recovery email as "
+                      "your username is inactive or your account's "
+                      "email address has not been verified."))
+
+                return redirect(
+                    request, 'mediagoblin.user_pages.user_home',
+                    user=user['username'])
+
+        # do not reveal whether or not there is a matching user
+        return redirect(request, 'mediagoblin.auth.fp_email_sent')
+
+    return render_to_response(
+        request,
+        'mediagoblin/auth/forgot_password.html',
+        {'fp_form': fp_form})
+
+
+def verify_forgot_password(request):
+    """
+    Check the forgot-password verification and possibly let the user
+    change their password because of it.
+    """
+    # get form data variables, and specifically check for presence of token
+    formdata = _process_for_token(request)
+    if not formdata['has_userid_and_token']:
+        return render_404(request)
+
+    formdata_token = formdata['vars']['token']
+    formdata_userid = formdata['vars']['userid']
+    formdata_vars = formdata['vars']
+
+    # check if it's a valid Id
+    try:
+        user = request.db.User.find_one(
+            {'_id': ObjectId(unicode(formdata_userid))})
+    except InvalidId:
+        return render_404(request)
+
+    # check if we have a real user and correct token
+    if ((user and user['fp_verification_key'] and
+         user['fp_verification_key'] == unicode(formdata_token) and
+         datetime.datetime.now() < user['fp_token_expire']
+         and user['email_verified'] and user['status'] == 'active')):
+
+        cp_form = auth_forms.ChangePassForm(formdata_vars)
+
+        if request.method == 'POST' and cp_form.validate():
+            user[u'pw_hash'] = auth_lib.bcrypt_gen_password_hash(
+                request.POST['password'])
+            user[u'fp_verification_key'] = None
+            user[u'fp_token_expire'] = None
+            user.save()
+
+            return redirect(request, 'mediagoblin.auth.fp_changed_success')
+        else:
+            return render_to_response(
+                request,
+                'mediagoblin/auth/change_fp.html',
+                {'cp_form': cp_form})
+
+    # in case there is a valid id but no user whit that id in the db
+    # or the token expired
+    else:
+        return render_404(request)
+
+
+def _process_for_token(request):
+    """
+    Checks for tokens in formdata without prior knowledge of request method
+
+    For now, returns whether the userid and token formdata variables exist, and
+    the formdata variables in a hash. Perhaps an object is warranted?
+    """
+    # retrieve the formdata variables
+    if request.method == 'GET':
+        formdata_vars = request.GET
+    else:
+        formdata_vars = request.POST
+
+    formdata = {
+        'vars': formdata_vars,
+        'has_userid_and_token':
+            'userid' in formdata_vars and 'token' in formdata_vars}
+
+    return formdata