2 files changed, 12 insertions, 2 deletions

diff --git a/mediagoblin/auth/views.py b/mediagoblin/auth/views.py
index 7ffa7416..c18bfa34 100644
--- a/mediagoblin/auth/views.py
+++ b/mediagoblin/auth/views.py
@@ -224,7 +224,7 @@ def forgot_password(request):
 def verify_forgot_password(request):
     # get session variables, and specifically check for presence of token
     mysession = _process_for_token(request)
-    if not mysession['token_complete']:
+    if not mysession['has_userid_and_token']:
         return render_404(request)
 
     session_token = mysession['vars']['token']
@@ -275,6 +275,6 @@ def _process_for_token(request):
         session_vars = request.POST
 
     mysession = {'vars': session_vars,
-                 'token_complete': session_vars.has_key('userid') and
+                 'has_userid_and_token': session_vars.has_key('userid') and
                                                   session_vars.has_key('token')}
     return mysession
diff --git a/mediagoblin/tests/test_auth.py b/mediagoblin/tests/test_auth.py
index a8e2d123..bfa66bd2 100644
--- a/mediagoblin/tests/test_auth.py
+++ b/mediagoblin/tests/test_auth.py
@@ -281,6 +281,16 @@ def test_register_views(test_app):
             new_user['_id']), status=400)
     assert response.status == '400 Bad Request'
 
+    ## Try using an expired token to change password, shouldn't work
+    util.clear_test_template_context()
+    real_token_expiration = new_user['fp_token_expire']
+    new_user['fp_token_expire'] = datetime.datetime.now()
+    new_user.save()
+    response = test_app.get("%s?%s" % (path, get_params), status=400)
+    assert response.status == '400 Bad Request'
+    new_user['fp_token_expire'] = real_token_expiration
+    new_user.save()
+
     ## Verify step 1 of password-change works -- can see form to change password
     util.clear_test_template_context()
     response = test_app.get("%s?%s" % (path, get_params))