diff options
| -rw-r--r-- | mediagoblin/auth/views.py | 18 | ||||
| -rw-r--r-- | mediagoblin/templates/mediagoblin/auth/login.html | 2 |
2 files changed, 12 insertions, 8 deletions
diff --git a/mediagoblin/auth/views.py b/mediagoblin/auth/views.py index 7ee89dfb..589d87cf 100644 --- a/mediagoblin/auth/views.py +++ b/mediagoblin/auth/views.py @@ -226,18 +226,19 @@ def verify_forgot_password(request): # If we don't have userid and token parameters, we can't do anything;404 if (not request.GET.has_key('userid') or not request.GET.has_key('token')): - return exc.HTTPNotFound('You must provide userid and token') + return render_404(request) # check if it's a valid Id try: user = request.db.User.find_one( {'_id': ObjectId(unicode(request.GET['userid']))}) except InvalidId: - return exc.HTTPNotFound('Invalid id') + return render_404(request) # check if we have a real user and correct token if (user and - user['fp_verification_key'] == unicode(request.GET['token'])): + user['fp_verification_key'] == unicode(request.GET['token']) and + datetime.datetime.now() < user['fp_token_expire']): cp_form = auth_forms.ChangePassForm(request.GET) return render_to_response( @@ -245,27 +246,30 @@ def verify_forgot_password(request): 'mediagoblin/auth/change_fp.html', {'cp_form': cp_form}) # in case there is a valid id but no user whit that id in the db + # or the token expired else: - return exc.HTTPNotFound('User not found') + return render_404(request) if request.method == 'POST': # verification doing here to prevent POST values modification try: user = request.db.User.find_one( {'_id': ObjectId(unicode(request.POST['userid']))}) except InvalidId: - return exc.HTTPNotFound('Invalid id') + return render_404(request) cp_form = auth_forms.ChangePassForm(request.POST) # verification doing here to prevent POST values modification # if token and id are correct they are able to change their password if (user and - user['fp_verification_key'] == unicode(request.POST['token'])): + user['fp_verification_key'] == unicode(request.POST['token']) and + datetime.datetime.now() < user['fp_token_expire']): if cp_form.validate(): user['pw_hash'] = auth_lib.bcrypt_gen_password_hash( request.POST['password']) user['fp_verification_key'] = None + user['fp_token_expire'] = None user.save() return redirect(request, @@ -276,4 +280,4 @@ def verify_forgot_password(request): 'mediagoblin/auth/change_fp.html', {'cp_form': cp_form}) else: - return exc.HTTPNotFound('User not found') + return render_404(request) diff --git a/mediagoblin/templates/mediagoblin/auth/login.html b/mediagoblin/templates/mediagoblin/auth/login.html index 538e5c08..87963267 100644 --- a/mediagoblin/templates/mediagoblin/auth/login.html +++ b/mediagoblin/templates/mediagoblin/auth/login.html @@ -48,7 +48,7 @@ {% trans %}Forgot your password?{% endtrans %} <br /> <a href="{{ request.urlgen('mediagoblin.auth.forgot_password') }}"> - {%- trans %}Send yourself a reminder!{% endtrans %}</a> + {%- trans %}Change it!{% endtrans %}</a> </p> {% endif %} </div> |