+++ /dev/null
-# GNU MediaGoblin -- federated, autonomous media hosting
-# Copyright (C) 2011, 2012 MediaGoblin contributors. See AUTHORS.
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-import wtforms
-
-from mediagoblin.tools.translate import lazy_pass_to_ugettext as _
-from mediagoblin.auth.tools import normalize_user_or_email_field
-
-
-class ForgotPassForm(wtforms.Form):
- username = wtforms.TextField(
- _('Username or email'),
- [wtforms.validators.Required(),
- normalize_user_or_email_field()])
-
-
-class ChangePassForm(wtforms.Form):
- password = wtforms.PasswordField(
- 'Password',
- [wtforms.validators.Required(),
- wtforms.validators.Length(min=5, max=1024)])
- token = wtforms.HiddenField(
- '',
- [wtforms.validators.Required()])
('mediagoblin.auth.verify_email', '/verify_email/',
'mediagoblin.auth.views:verify_email'),
('mediagoblin.auth.resend_verification', '/resend_verification/',
- 'mediagoblin.auth.views:resend_activation'),
- ('mediagoblin.auth.forgot_password', '/forgot_password/',
- 'mediagoblin.auth.views:forgot_password'),
- ('mediagoblin.auth.verify_forgot_password',
- '/forgot_password/verify/',
- 'mediagoblin.auth.views:verify_forgot_password')]
+ 'mediagoblin.auth.views:resend_activation')]
rendered_email)
-EMAIL_FP_VERIFICATION_TEMPLATE = (
- u"{uri}?"
- u"token={fp_verification_key}")
-
-
-def send_fp_verification_email(user, request):
- """
- Send the verification email to users to change their password.
-
- Args:
- - user: a user object
- - request: the request
- """
- fp_verification_key = get_timed_signer_url('mail_verification_token') \
- .dumps(user.id)
-
- rendered_email = render_template(
- request, 'mediagoblin/auth/fp_verification_email.txt',
- {'username': user.username,
- 'verification_url': EMAIL_FP_VERIFICATION_TEMPLATE.format(
- uri=request.urlgen('mediagoblin.auth.verify_forgot_password',
- qualified=True),
- fp_verification_key=fp_verification_key)})
-
- # TODO: There is no error handling in place
- send_email(
- mg_globals.app_config['email_sender_address'],
- [user.email],
- 'GNU MediaGoblin - Change forgotten password!',
- rendered_email)
-
-
def basic_extra_validation(register_form, *args):
users_with_username = User.query.filter_by(
username=register_form.username.data).count()
def no_auth_logout(request):
- """Log out the user if authentication_disabled, but don't delete the messages"""
+ """
+ Log out the user if no authentication is enabled, but don't delete
+ the messages
+ """
if not mg_globals.app.auth and 'user_id' in request.session:
del request.session['user_id']
request.session.save()
from mediagoblin.tools.translate import pass_to_ugettext as _
from mediagoblin.tools.mail import email_debug_message
from mediagoblin.tools.pluginapi import hook_handle
-from mediagoblin.auth import forms as auth_forms
from mediagoblin.auth.tools import (send_verification_email, register_user,
- send_fp_verification_email,
check_login_simple)
-from mediagoblin import auth
@allow_registration
return redirect(
request, 'mediagoblin.user_pages.user_home',
user=request.user.username)
-
-
-def forgot_password(request):
- """
- Forgot password view
-
- Sends an email with an url to renew forgotten password.
- Use GET querystring parameter 'username' to pre-populate the input field
- """
- if not 'pass_auth' in request.template_env.globals:
- return redirect(request, 'index')
-
- fp_form = auth_forms.ForgotPassForm(request.form,
- username=request.args.get('username'))
-
- if not (request.method == 'POST' and fp_form.validate()):
- # Either GET request, or invalid form submitted. Display the template
- return render_to_response(request,
- 'mediagoblin/auth/forgot_password.html', {'fp_form': fp_form,})
-
- # If we are here: method == POST and form is valid. username casing
- # has been sanitized. Store if a user was found by email. We should
- # not reveal if the operation was successful then as we don't want to
- # leak if an email address exists in the system.
- found_by_email = '@' in fp_form.username.data
-
- if found_by_email:
- user = User.query.filter_by(
- email = fp_form.username.data).first()
- # Don't reveal success in case the lookup happened by email address.
- success_message=_("If that email address (case sensitive!) is "
- "registered an email has been sent with instructions "
- "on how to change your password.")
-
- else: # found by username
- user = User.query.filter_by(
- username = fp_form.username.data).first()
-
- if user is None:
- messages.add_message(request,
- messages.WARNING,
- _("Couldn't find someone with that username."))
- return redirect(request, 'mediagoblin.auth.forgot_password')
-
- success_message=_("An email has been sent with instructions "
- "on how to change your password.")
-
- if user and not(user.email_verified and user.status == 'active'):
- # Don't send reminder because user is inactive or has no verified email
- messages.add_message(request,
- messages.WARNING,
- _("Could not send password recovery email as your username is in"
- "active or your account's email address has not been verified."))
-
- return redirect(request, 'mediagoblin.user_pages.user_home',
- user=user.username)
-
- # SUCCESS. Send reminder and return to login page
- if user:
- email_debug_message(request)
- send_fp_verification_email(user, request)
-
- messages.add_message(request, messages.INFO, success_message)
- return redirect(request, 'mediagoblin.auth.login')
-
-
-def verify_forgot_password(request):
- """
- Check the forgot-password verification and possibly let the user
- change their password because of it.
- """
- # get form data variables, and specifically check for presence of token
- formdata = _process_for_token(request)
- if not formdata['has_token']:
- return render_404(request)
-
- formdata_vars = formdata['vars']
-
- # Catch error if token is faked or expired
- try:
- token = get_timed_signer_url("mail_verification_token") \
- .loads(formdata_vars['token'], max_age=10*24*3600)
- except BadSignature:
- messages.add_message(
- request,
- messages.ERROR,
- _('The verification key or user id is incorrect.'))
-
- return redirect(
- request,
- 'index')
-
- # check if it's a valid user id
- user = User.query.filter_by(id=int(token)).first()
-
- # no user in db
- if not user:
- messages.add_message(
- request, messages.ERROR,
- _('The user id is incorrect.'))
- return redirect(
- request, 'index')
-
- # check if user active and has email verified
- if user.email_verified and user.status == 'active':
-
- cp_form = auth_forms.ChangePassForm(formdata_vars)
-
- if request.method == 'POST' and cp_form.validate():
- user.pw_hash = auth.gen_password_hash(
- cp_form.password.data)
- user.save()
-
- messages.add_message(
- request,
- messages.INFO,
- _("You can now log in using your new password."))
- return redirect(request, 'mediagoblin.auth.login')
- else:
- return render_to_response(
- request,
- 'mediagoblin/auth/change_fp.html',
- {'cp_form': cp_form,})
-
- if not user.email_verified:
- messages.add_message(
- request, messages.ERROR,
- _('You need to verify your email before you can reset your'
- ' password.'))
-
- if not user.status == 'active':
- messages.add_message(
- request, messages.ERROR,
- _('You are no longer an active user. Please contact the system'
- ' admin to reactivate your accoutn.'))
-
- return redirect(
- request, 'index')
-
-
-def _process_for_token(request):
- """
- Checks for tokens in formdata without prior knowledge of request method
-
- For now, returns whether the userid and token formdata variables exist, and
- the formdata variables in a hash. Perhaps an object is warranted?
- """
- # retrieve the formdata variables
- if request.method == 'GET':
- formdata_vars = request.GET
- else:
- formdata_vars = request.form
-
- formdata = {
- 'vars': formdata_vars,
- 'has_token': 'token' in formdata_vars}
-
- return formdata
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
+import os
+
from mediagoblin.plugins.basic_auth import forms as auth_forms
from mediagoblin.plugins.basic_auth import tools as auth_tools
from mediagoblin.auth.tools import create_basic_user
from mediagoblin.tools import pluginapi
from sqlalchemy import or_
+PLUGIN_DIR = os.path.dirname(__file__)
+
def setup_plugin():
config = pluginapi.get_config('mediagoblin.plugins.basic_auth')
+ routes = [
+ ('mediagoblin.plugins.basic_auth.edit.pass',
+ '/edit/password/',
+ 'mediagoblin.plugins.basic_auth.views:change_pass'),
+ ('mediagoblin.plugins.basic_auth.forgot_password',
+ '/auth/forgot_password/',
+ 'mediagoblin.plugins.basic_auth.views:forgot_password'),
+ ('mediagoblin.plugins.basic_auth.verify_forgot_password',
+ '/auth/forgot_password/verify/',
+ 'mediagoblin.plugins.basic_auth.views:verify_forgot_password')]
+
+ pluginapi.register_routes(routes)
+ pluginapi.register_template_path(os.path.join(PLUGIN_DIR, 'templates'))
+
def get_user(**kwargs):
username = kwargs.pop('username', None)
stay_logged_in = wtforms.BooleanField(
label='',
description=_('Stay logged in'))
+
+
+class ForgotPassForm(wtforms.Form):
+ username = wtforms.TextField(
+ _('Username or email'),
+ [wtforms.validators.Required(),
+ normalize_user_or_email_field()])
+
+
+class ChangeForgotPassForm(wtforms.Form):
+ password = wtforms.PasswordField(
+ 'Password',
+ [wtforms.validators.Required(),
+ wtforms.validators.Length(min=5, max=1024)])
+ token = wtforms.HiddenField(
+ '',
+ [wtforms.validators.Required()])
randplus_hashed_pass = bcrypt.hashpw(hashed_pass, rand_salt)
randplus_stored_hash == randplus_hashed_pass
+
+
+EMAIL_FP_VERIFICATION_TEMPLATE = (
+ u"{uri}?"
+ u"token={fp_verification_key}")
+
+
+def send_fp_verification_email(user, request):
+ """
+ Send the verification email to users to change their password.
+
+ Args:
+ - user: a user object
+ - request: the request
+ """
+ fp_verification_key = get_timed_signer_url('mail_verification_token') \
+ .dumps(user.id)
+
+ rendered_email = render_template(
+ request, 'mediagoblin/auth/fp_verification_email.txt',
+ {'username': user.username,
+ 'verification_url': EMAIL_FP_VERIFICATION_TEMPLATE.format(
+ uri=request.urlgen('mediagoblin.auth.verify_forgot_password',
+ qualified=True),
+ fp_verification_key=fp_verification_key)})
+
+ # TODO: There is no error handling in place
+ send_email(
+ mg_globals.app_config['email_sender_address'],
+ [user.email],
+ 'GNU MediaGoblin - Change forgotten password!',
+ rendered_email)
+
--- /dev/null
+# GNU MediaGoblin -- federated, autonomous media hosting
+# Copyright (C) 2011, 2012 MediaGoblin contributors. See AUTHORS.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+from itsdangerous import BadSignature
+
+from mediagoblin import messages
+from mediagoblin.db.models import User
+from mediagoblin.plugins.basic_auth import forms, tools
+from mediagoblin.tools.crypto import get_timed_signer_url
+from mediagoblin.tools.mail import email_debug_message
+from mediagoblin.tools.response import redirect, render_to_response, render_404
+from mediagoblin.tools.translate import pass_to_ugettext as _
+
+
+def forgot_password(request):
+ """
+ Forgot password view
+
+ Sends an email with an url to renew forgotten password.
+ Use GET querystring parameter 'username' to pre-populate the input field
+ """
+ fp_form = forms.ForgotPassForm(request.form,
+ username=request.args.get('username'))
+
+ if not (request.method == 'POST' and fp_form.validate()):
+ # Either GET request, or invalid form submitted. Display the template
+ return render_to_response(request,
+ 'mediagoblin/plugins/basic_auth/forgot_password.html',
+ {'fp_form': fp_form})
+
+ # If we are here: method == POST and form is valid. username casing
+ # has been sanitized. Store if a user was found by email. We should
+ # not reveal if the operation was successful then as we don't want to
+ # leak if an email address exists in the system.
+ found_by_email = '@' in fp_form.username.data
+
+ if found_by_email:
+ user = User.query.filter_by(
+ email=fp_form.username.data).first()
+ # Don't reveal success in case the lookup happened by email address.
+ success_message = _("If that email address (case sensitive!) is "
+ "registered an email has been sent with "
+ "instructions on how to change your password.")
+
+ else: # found by username
+ user = User.query.filter_by(
+ username=fp_form.username.data).first()
+
+ if user is None:
+ messages.add_message(request,
+ messages.WARNING,
+ _("Couldn't find someone with that username."))
+ return redirect(request, 'mediagoblin.auth.forgot_password')
+
+ success_message = _("An email has been sent with instructions "
+ "on how to change your password.")
+
+ if user and not(user.email_verified and user.status == 'active'):
+ # Don't send reminder because user is inactive or has no verified email
+ messages.add_message(request,
+ messages.WARNING,
+ _("Could not send password recovery email as your username is in"
+ "active or your account's email address has not been verified."))
+
+ return redirect(request, 'mediagoblin.user_pages.user_home',
+ user=user.username)
+
+ # SUCCESS. Send reminder and return to login page
+ if user:
+ email_debug_message(request)
+ tools.send_fp_verification_email(user, request)
+
+ messages.add_message(request, messages.INFO, success_message)
+ return redirect(request, 'mediagoblin.auth.login')
+
+
+def verify_forgot_password(request):
+ """
+ Check the forgot-password verification and possibly let the user
+ change their password because of it.
+ """
+ # get form data variables, and specifically check for presence of token
+ formdata = _process_for_token(request)
+ if not formdata['has_token']:
+ return render_404(request)
+
+ formdata_vars = formdata['vars']
+
+ # Catch error if token is faked or expired
+ try:
+ token = get_timed_signer_url("mail_verification_token") \
+ .loads(formdata_vars['token'], max_age=10*24*3600)
+ except BadSignature:
+ messages.add_message(
+ request,
+ messages.ERROR,
+ _('The verification key or user id is incorrect.'))
+
+ return redirect(
+ request,
+ 'index')
+
+ # check if it's a valid user id
+ user = User.query.filter_by(id=int(token)).first()
+
+ # no user in db
+ if not user:
+ messages.add_message(
+ request, messages.ERROR,
+ _('The user id is incorrect.'))
+ return redirect(
+ request, 'index')
+
+ # check if user active and has email verified
+ if user.email_verified and user.status == 'active':
+
+ cp_form = forms.ChangePassForm(formdata_vars)
+
+ if request.method == 'POST' and cp_form.validate():
+ user.pw_hash = tools.bcrypt_gen_password_hash(
+ cp_form.password.data)
+ user.save()
+
+ messages.add_message(
+ request,
+ messages.INFO,
+ _("You can now log in using your new password."))
+ return redirect(request, 'mediagoblin.auth.login')
+ else:
+ return render_to_response(
+ request,
+ 'mediagoblin/plugins/basic_auth/change_fp.html',
+ {'cp_form': cp_form})
+
+ if not user.email_verified:
+ messages.add_message(
+ request, messages.ERROR,
+ _('You need to verify your email before you can reset your'
+ ' password.'))
+
+ if not user.status == 'active':
+ messages.add_message(
+ request, messages.ERROR,
+ _('You are no longer an active user. Please contact the system'
+ ' admin to reactivate your accoutn.'))
+
+ return redirect(
+ request, 'index')
+
+
+def _process_for_token(request):
+ """
+ Checks for tokens in formdata without prior knowledge of request method
+
+ For now, returns whether the userid and token formdata variables exist, and
+ the formdata variables in a hash. Perhaps an object is warranted?
+ """
+ # retrieve the formdata variables
+ if request.method == 'GET':
+ formdata_vars = request.GET
+ else:
+ formdata_vars = request.form
+
+ formdata = {
+ 'vars': formdata_vars,
+ 'has_token': 'token' in formdata_vars}
+
+ return formdata
projects / mediagoblin.git / commitdiff