moved forgot pass to basic_auth plugin

4 files changed, 5 insertions, 237 deletions

diff --git a/mediagoblin/auth/forms.py b/mediagoblin/auth/forms.py
deleted file mode 100644
index 865502e9..00000000
--- a/mediagoblin/auth/forms.py
+++ /dev/null
@@ -1,37 +0,0 @@
-# GNU MediaGoblin -- federated, autonomous media hosting
-# Copyright (C) 2011, 2012 MediaGoblin contributors.  See AUTHORS.
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-import wtforms
-
-from mediagoblin.tools.translate import lazy_pass_to_ugettext as _
-from mediagoblin.auth.tools import normalize_user_or_email_field
-
-
-class ForgotPassForm(wtforms.Form):
-    username = wtforms.TextField(
-        _('Username or email'),
-        [wtforms.validators.Required(),
-         normalize_user_or_email_field()])
-
-
-class ChangePassForm(wtforms.Form):
-    password = wtforms.PasswordField(
-        'Password',
-        [wtforms.validators.Required(),
-         wtforms.validators.Length(min=5, max=1024)])
-    token = wtforms.HiddenField(
-        '',
-        [wtforms.validators.Required()])
diff --git a/mediagoblin/auth/routing.py b/mediagoblin/auth/routing.py
index 2a6abb47..7a688a49 100644
--- a/mediagoblin/auth/routing.py
+++ b/mediagoblin/auth/routing.py
@@ -25,9 +25,4 @@ auth_routes = [
     ('mediagoblin.auth.verify_email', '/verify_email/',
      'mediagoblin.auth.views:verify_email'),
     ('mediagoblin.auth.resend_verification', '/resend_verification/',
-     'mediagoblin.auth.views:resend_activation'),
-    ('mediagoblin.auth.forgot_password', '/forgot_password/',
-     'mediagoblin.auth.views:forgot_password'),
-    ('mediagoblin.auth.verify_forgot_password',
-     '/forgot_password/verify/',
-     'mediagoblin.auth.views:verify_forgot_password')]
+     'mediagoblin.auth.views:resend_activation')]
diff --git a/mediagoblin/auth/tools.py b/mediagoblin/auth/tools.py
index 579775ff..20c1f5c2 100644
--- a/mediagoblin/auth/tools.py
+++ b/mediagoblin/auth/tools.py
@@ -101,38 +101,6 @@ def send_verification_email(user, request, email=None,
         rendered_email)
 
 
-EMAIL_FP_VERIFICATION_TEMPLATE = (
-    u"{uri}?"
-    u"token={fp_verification_key}")
-
-
-def send_fp_verification_email(user, request):
-    """
-    Send the verification email to users to change their password.
-
-    Args:
-    - user: a user object
-    - request: the request
-    """
-    fp_verification_key = get_timed_signer_url('mail_verification_token') \
-            .dumps(user.id)
-
-    rendered_email = render_template(
-        request, 'mediagoblin/auth/fp_verification_email.txt',
-        {'username': user.username,
-         'verification_url': EMAIL_FP_VERIFICATION_TEMPLATE.format(
-             uri=request.urlgen('mediagoblin.auth.verify_forgot_password',
-                                qualified=True),
-             fp_verification_key=fp_verification_key)})
-
-    # TODO: There is no error handling in place
-    send_email(
-        mg_globals.app_config['email_sender_address'],
-        [user.email],
-        'GNU MediaGoblin - Change forgotten password!',
-        rendered_email)
-
-
 def basic_extra_validation(register_form, *args):
     users_with_username = User.query.filter_by(
         username=register_form.username.data).count()
@@ -196,7 +164,10 @@ def check_auth_enabled():
 
 
 def no_auth_logout(request):
-    """Log out the user if authentication_disabled, but don't delete the messages"""
+    """
+    Log out the user if no authentication is enabled, but don't delete
+    the messages
+    """
     if not mg_globals.app.auth and 'user_id' in request.session:
         del request.session['user_id']
         request.session.save()
diff --git a/mediagoblin/auth/views.py b/mediagoblin/auth/views.py
index dd71d5c1..285bddf6 100644
--- a/mediagoblin/auth/views.py
+++ b/mediagoblin/auth/views.py
@@ -24,11 +24,8 @@ from mediagoblin.tools.response import render_to_response, redirect, render_404
 from mediagoblin.tools.translate import pass_to_ugettext as _
 from mediagoblin.tools.mail import email_debug_message
 from mediagoblin.tools.pluginapi import hook_handle
-from mediagoblin.auth import forms as auth_forms
 from mediagoblin.auth.tools import (send_verification_email, register_user,
-                                    send_fp_verification_email,
                                     check_login_simple)
-from mediagoblin import auth
 
 
 @allow_registration
@@ -204,161 +201,3 @@ def resend_activation(request):
     return redirect(
         request, 'mediagoblin.user_pages.user_home',
         user=request.user.username)
-
-
-def forgot_password(request):
-    """
-    Forgot password view
-
-    Sends an email with an url to renew forgotten password.
-    Use GET querystring parameter 'username' to pre-populate the input field
-    """
-    if not 'pass_auth' in request.template_env.globals:
-        return redirect(request, 'index')
-
-    fp_form = auth_forms.ForgotPassForm(request.form,
-                                        username=request.args.get('username'))
-
-    if not (request.method == 'POST' and fp_form.validate()):
-        # Either GET request, or invalid form submitted. Display the template
-        return render_to_response(request,
-            'mediagoblin/auth/forgot_password.html', {'fp_form': fp_form,})
-
-    # If we are here: method == POST and form is valid. username casing
-    # has been sanitized. Store if a user was found by email. We should
-    # not reveal if the operation was successful then as we don't want to
-    # leak if an email address exists in the system.
-    found_by_email = '@' in fp_form.username.data
-
-    if found_by_email:
-        user = User.query.filter_by(
-            email = fp_form.username.data).first()
-        # Don't reveal success in case the lookup happened by email address.
-        success_message=_("If that email address (case sensitive!) is "
-                          "registered an email has been sent with instructions "
-                          "on how to change your password.")
-
-    else: # found by username
-        user = User.query.filter_by(
-            username = fp_form.username.data).first()
-
-        if user is None:
-            messages.add_message(request,
-                                 messages.WARNING,
-                                 _("Couldn't find someone with that username."))
-            return redirect(request, 'mediagoblin.auth.forgot_password')
-
-        success_message=_("An email has been sent with instructions "
-                          "on how to change your password.")
-
-    if user and not(user.email_verified and user.status == 'active'):
-        # Don't send reminder because user is inactive or has no verified email
-        messages.add_message(request,
-            messages.WARNING,
-            _("Could not send password recovery email as your username is in"
-              "active or your account's email address has not been verified."))
-
-        return redirect(request, 'mediagoblin.user_pages.user_home',
-                        user=user.username)
-
-    # SUCCESS. Send reminder and return to login page
-    if user:
-        email_debug_message(request)
-        send_fp_verification_email(user, request)
-
-    messages.add_message(request, messages.INFO, success_message)
-    return redirect(request, 'mediagoblin.auth.login')
-
-
-def verify_forgot_password(request):
-    """
-    Check the forgot-password verification and possibly let the user
-    change their password because of it.
-    """
-    # get form data variables, and specifically check for presence of token
-    formdata = _process_for_token(request)
-    if not formdata['has_token']:
-        return render_404(request)
-
-    formdata_vars = formdata['vars']
-
-    # Catch error if token is faked or expired
-    try:
-        token = get_timed_signer_url("mail_verification_token") \
-                .loads(formdata_vars['token'], max_age=10*24*3600)
-    except BadSignature:
-        messages.add_message(
-            request,
-            messages.ERROR,
-            _('The verification key or user id is incorrect.'))
-
-        return redirect(
-            request,
-            'index')
-
-    # check if it's a valid user id
-    user = User.query.filter_by(id=int(token)).first()
-
-    # no user in db
-    if not user:
-        messages.add_message(
-            request, messages.ERROR,
-            _('The user id is incorrect.'))
-        return redirect(
-            request, 'index')
-
-    # check if user active and has email verified
-    if user.email_verified and user.status == 'active':
-
-        cp_form = auth_forms.ChangePassForm(formdata_vars)
-
-        if request.method == 'POST' and cp_form.validate():
-            user.pw_hash = auth.gen_password_hash(
-                cp_form.password.data)
-            user.save()
-
-            messages.add_message(
-                request,
-                messages.INFO,
-                _("You can now log in using your new password."))
-            return redirect(request, 'mediagoblin.auth.login')
-        else:
-            return render_to_response(
-                request,
-                'mediagoblin/auth/change_fp.html',
-                {'cp_form': cp_form,})
-
-    if not user.email_verified:
-        messages.add_message(
-            request, messages.ERROR,
-            _('You need to verify your email before you can reset your'
-              ' password.'))
-
-    if not user.status == 'active':
-        messages.add_message(
-            request, messages.ERROR,
-            _('You are no longer an active user. Please contact the system'
-              ' admin to reactivate your accoutn.'))
-
-    return redirect(
-        request, 'index')
-
-
-def _process_for_token(request):
-    """
-    Checks for tokens in formdata without prior knowledge of request method
-
-    For now, returns whether the userid and token formdata variables exist, and
-    the formdata variables in a hash. Perhaps an object is warranted?
-    """
-    # retrieve the formdata variables
-    if request.method == 'GET':
-        formdata_vars = request.GET
-    else:
-        formdata_vars = request.form
-
-    formdata = {
-        'vars': formdata_vars,
-        'has_token': 'token' in formdata_vars}
-
-    return formdata