X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=mediagoblin%2Fauth%2Fviews.py;h=f707ecbea0006aaa877c3cc907fb939d99d7d93c;hb=d8db95e4b72ae30c368aeba41993004b95bc7412;hp=caf9835a6974f646dc5b23908edf2c78d40a58c4;hpb=7a3d00ec217cc3fd44788b9d8c63ab9f7b1d05a7;p=mediagoblin.git diff --git a/mediagoblin/auth/views.py b/mediagoblin/auth/views.py index caf9835a..f707ecbe 100644 --- a/mediagoblin/auth/views.py +++ b/mediagoblin/auth/views.py @@ -84,6 +84,7 @@ def register(request): user.email = email user.pw_hash = auth_lib.bcrypt_gen_password_hash( request.POST['password']) + user.verification_key = unicode(uuid.uuid4()) user.save(validate=True) # log the user in @@ -166,10 +167,10 @@ def verify_email(request): user = request.db.User.find_one( {'_id': ObjectId(unicode(request.GET['userid']))}) - if user and user['verification_key'] == unicode(request.GET['token']): + if user and user.verification_key == unicode(request.GET['token']): user.status = u'active' user.email_verified = True - user[u'verification_key'] = None + user.verification_key = None user.save() @@ -212,7 +213,7 @@ def resend_activation(request): return redirect(request, "mediagoblin.user_pages.user_home", user=request.user['username']) - request.user[u'verification_key'] = unicode(uuid.uuid4()) + request.user.verification_key = unicode(uuid.uuid4()) request.user.save() email_debug_message(request) @@ -231,16 +232,12 @@ def forgot_password(request): """ Forgot password view - Sends an email whit an url to renew forgoten password + Sends an email with an url to renew forgotten password """ fp_form = auth_forms.ForgotPassForm(request.POST) if request.method == 'POST' and fp_form.validate(): - # Here, so it doesn't depend on the actual mail being sent - # and thus doesn't reveal, wether mail was sent. - email_debug_message(request) - # '$or' not available till mongodb 1.5.3 user = request.db.User.find_one( {'username': request.POST['username']}) @@ -250,12 +247,20 @@ def forgot_password(request): if user: if user.email_verified and user.status == 'active': - user[u'fp_verification_key'] = unicode(uuid.uuid4()) - user[u'fp_token_expire'] = datetime.datetime.now() + \ + user.fp_verification_key = unicode(uuid.uuid4()) + user.fp_token_expire = datetime.datetime.now() + \ datetime.timedelta(days=10) user.save() send_fp_verification_email(user, request) + + messages.add_message( + request, + messages.INFO, + _("An email has been sent with instructions on how to " + "change your password.")) + email_debug_message(request) + else: # special case... we can't send the email because the # username is inactive / hasn't verified their email @@ -269,9 +274,13 @@ def forgot_password(request): return redirect( request, 'mediagoblin.user_pages.user_home', user=user.username) - - # do not reveal whether or not there is a matching user - return redirect(request, 'mediagoblin.auth.fp_email_sent') + return redirect(request, 'mediagoblin.auth.login') + else: + messages.add_message( + request, + messages.WARNING, + _("Couldn't find someone with that username or email.")) + return redirect(request, 'mediagoblin.auth.forgot_password') return render_to_response( request, @@ -301,9 +310,9 @@ def verify_forgot_password(request): return render_404(request) # check if we have a real user and correct token - if ((user and user['fp_verification_key'] and - user['fp_verification_key'] == unicode(formdata_token) and - datetime.datetime.now() < user['fp_token_expire'] + if ((user and user.fp_verification_key and + user.fp_verification_key == unicode(formdata_token) and + datetime.datetime.now() < user.fp_token_expire and user.email_verified and user.status == 'active')): cp_form = auth_forms.ChangePassForm(formdata_vars) @@ -311,8 +320,8 @@ def verify_forgot_password(request): if request.method == 'POST' and cp_form.validate(): user.pw_hash = auth_lib.bcrypt_gen_password_hash( request.POST['password']) - user[u'fp_verification_key'] = None - user[u'fp_token_expire'] = None + user.fp_verification_key = None + user.fp_token_expire = None user.save() return redirect(request, 'mediagoblin.auth.fp_changed_success')