Generalizes error model for change password verification

- 404s instead of 'user not found' will limit leaking user profile
  information to the browser.
- Also fixed the wording on the login page to make it clear you are
  changing the password, not sending yourself your old one!

diff --git a/mediagoblin/auth/views.py b/mediagoblin/auth/views.py
index 7ee89dfb5fa6eab8179918ac0b6418301dcf02c8..589d87cf7591da050a280ccc97f351fc95b67614 100644 (file)
--- a/mediagoblin/auth/views.py
+++ b/mediagoblin/auth/views.py
@@ -226,18 +226,19 @@ def verify_forgot_password(request):
        # If we don't have userid and token parameters, we can't do anything;404
         if (not request.GET.has_key('userid') or
            not request.GET.has_key('token')):
-            return exc.HTTPNotFound('You must provide userid and token')
+            return render_404(request)
 
         # check if it's a valid Id
         try:
             user = request.db.User.find_one(
                 {'_id': ObjectId(unicode(request.GET['userid']))})
         except InvalidId:
-            return exc.HTTPNotFound('Invalid id')
+            return render_404(request)
 
         # check if we have a real user and correct token
         if (user and
-           user['fp_verification_key'] == unicode(request.GET['token'])):
+           user['fp_verification_key'] == unicode(request.GET['token']) and
+           datetime.datetime.now() < user['fp_token_expire']):
             cp_form = auth_forms.ChangePassForm(request.GET)
 
             return render_to_response(
@@ -245,27 +246,30 @@ def verify_forgot_password(request):
                    'mediagoblin/auth/change_fp.html',
                    {'cp_form': cp_form})
         # in case there is a valid id but no user whit that id in the db
+        # or the token expired
         else:
-            return exc.HTTPNotFound('User not found')
+            return render_404(request)
     if request.method == 'POST':
         # verification doing here to prevent POST values modification
         try:
             user = request.db.User.find_one(
                 {'_id': ObjectId(unicode(request.POST['userid']))})
         except InvalidId:
-            return exc.HTTPNotFound('Invalid id')
+            return render_404(request)
 
         cp_form = auth_forms.ChangePassForm(request.POST)
 
         # verification doing here to prevent POST values modification
         # if token and id are correct they are able to change their password
         if (user and
-           user['fp_verification_key'] == unicode(request.POST['token'])):
+           user['fp_verification_key'] == unicode(request.POST['token']) and
+           datetime.datetime.now() < user['fp_token_expire']):
 
             if cp_form.validate():
                 user['pw_hash'] = auth_lib.bcrypt_gen_password_hash(
                     request.POST['password'])
                 user['fp_verification_key'] = None
+                user['fp_token_expire'] = None
                 user.save()
 
                 return redirect(request,
@@ -276,4 +280,4 @@ def verify_forgot_password(request):
                        'mediagoblin/auth/change_fp.html',
                        {'cp_form': cp_form})
         else:
-            return exc.HTTPNotFound('User not found')
+            return render_404(request)

diff --git a/mediagoblin/templates/mediagoblin/auth/login.html b/mediagoblin/templates/mediagoblin/auth/login.html
index 538e5c089f9fe5028116393aee2612620cabbf00..879632673d635f2b2f77e3077003273559cd9d91 100644 (file)
--- a/mediagoblin/templates/mediagoblin/auth/login.html
+++ b/mediagoblin/templates/mediagoblin/auth/login.html
@@ -48,7 +48,7 @@
           {% trans %}Forgot your password?{% endtrans %}
           <br />
           <a href="{{ request.urlgen('mediagoblin.auth.forgot_password') }}">
-            {%- trans %}Send yourself a reminder!{% endtrans %}</a>
+            {%- trans %}Change it!{% endtrans %}</a>
         </p>
       {% endif %}
     </div>