return redirect(
request, 'mediagoblin.user_pages.user_home',
user=request.user.username)
-
-
-def forgot_password(request):
- """
- Forgot password view
-
- Sends an email with an url to renew forgotten password.
- Use GET querystring parameter 'username' to pre-populate the input field
- """
- if not 'pass_auth' in request.template_env.globals:
- return redirect(request, 'index')
-
- fp_form = auth_forms.ForgotPassForm(request.form,
- username=request.args.get('username'))
-
- if not (request.method == 'POST' and fp_form.validate()):
- # Either GET request, or invalid form submitted. Display the template
- return render_to_response(request,
- 'mediagoblin/auth/forgot_password.html', {'fp_form': fp_form,})
-
- # If we are here: method == POST and form is valid. username casing
- # has been sanitized. Store if a user was found by email. We should
- # not reveal if the operation was successful then as we don't want to
- # leak if an email address exists in the system.
- found_by_email = '@' in fp_form.username.data
-
- if found_by_email:
- user = User.query.filter_by(
- email = fp_form.username.data).first()
- # Don't reveal success in case the lookup happened by email address.
- success_message=_("If that email address (case sensitive!) is "
- "registered an email has been sent with instructions "
- "on how to change your password.")
-
- else: # found by username
- user = User.query.filter_by(
- username = fp_form.username.data).first()
-
- if user is None:
- messages.add_message(request,
- messages.WARNING,
- _("Couldn't find someone with that username."))
- return redirect(request, 'mediagoblin.auth.forgot_password')
-
- success_message=_("An email has been sent with instructions "
- "on how to change your password.")
-
- if user and not(user.has_privilege(u'active')):
- # Don't send reminder because user is inactive or has no verified email
- messages.add_message(request,
- messages.WARNING,
- _("Could not send password recovery email as your username is in"
- "active or your account's email address has not been verified."))
-
- return redirect(request, 'mediagoblin.user_pages.user_home',
- user=user.username)
-
- # SUCCESS. Send reminder and return to login page
- if user:
- email_debug_message(request)
- send_fp_verification_email(user, request)
-
- messages.add_message(request, messages.INFO, success_message)
- return redirect(request, 'mediagoblin.auth.login')
-
-
-def verify_forgot_password(request):
- """
- Check the forgot-password verification and possibly let the user
- change their password because of it.
- """
- # get form data variables, and specifically check for presence of token
- formdata = _process_for_token(request)
- if not formdata['has_token']:
- return render_404(request)
-
- formdata_vars = formdata['vars']
-
- # Catch error if token is faked or expired
- try:
- token = get_timed_signer_url("mail_verification_token") \
- .loads(formdata_vars['token'], max_age=10*24*3600)
- except BadSignature:
- messages.add_message(
- request,
- messages.ERROR,
- _('The verification key or user id is incorrect.'))
-
- return redirect(
- request,
- 'index')
-
- # check if it's a valid user id
- user = User.query.filter_by(id=int(token)).first()
-
- # no user in db
- if not user:
- messages.add_message(
- request, messages.ERROR,
- _('The user id is incorrect.'))
- return redirect(
- request, 'index')
-
- # check if user active
- if user.has_privilege(u'active'):
-
- cp_form = auth_forms.ChangePassForm(formdata_vars)
-
- if request.method == 'POST' and cp_form.validate():
- user.pw_hash = auth.gen_password_hash(
- cp_form.password.data)
- user.save()
-
- messages.add_message(
- request,
- messages.INFO,
- _("You can now log in using your new password."))
- return redirect(request, 'mediagoblin.auth.login')
- else:
- return render_to_response(
- request,
- 'mediagoblin/auth/change_fp.html',
- {'cp_form': cp_form,})
-
- if not user.has_privilege(u'active'):
- messages.add_message(
- request, messages.ERROR,
- _('You need to verify your email before you can reset your'
- ' password.'))
-
- if not user.has_privilege(u'active'):
- messages.add_message(
- request, messages.ERROR,
- _('You are no longer an active user. Please contact the system'
- ' admin to reactivate your account.'))
-
- return redirect(
- request, 'index')
-
-
-def _process_for_token(request):
- """
- Checks for tokens in formdata without prior knowledge of request method
-
- For now, returns whether the userid and token formdata variables exist, and
- the formdata variables in a hash. Perhaps an object is warranted?
- """
- # retrieve the formdata variables
- if request.method == 'GET':
- formdata_vars = request.GET
- else:
- formdata_vars = request.form
-
- formdata = {
- 'vars': formdata_vars,
- 'has_token': 'token' in formdata_vars}
-
- return formdata
projects / mediagoblin.git / commitdiff