diff options
Diffstat (limited to 'mediagoblin/auth')
| -rw-r--r-- | mediagoblin/auth/__init__.py | 29 | ||||
| -rw-r--r-- | mediagoblin/auth/forms.py | 93 | ||||
| -rw-r--r-- | mediagoblin/auth/lib.py | 155 | ||||
| -rw-r--r-- | mediagoblin/auth/routing.py | 7 | ||||
| -rw-r--r-- | mediagoblin/auth/tools.py | 191 | ||||
| -rw-r--r-- | mediagoblin/auth/views.py | 280 |
6 files changed, 280 insertions, 475 deletions
diff --git a/mediagoblin/auth/__init__.py b/mediagoblin/auth/__init__.py index 621845ba..be5d0eed 100644 --- a/mediagoblin/auth/__init__.py +++ b/mediagoblin/auth/__init__.py @@ -13,3 +13,32 @@ # # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. +from mediagoblin.tools.pluginapi import hook_handle, hook_runall + + +def get_user(**kwargs): + """ Takes a kwarg such as username and returns a user object """ + return hook_handle("auth_get_user", **kwargs) + + +def create_user(register_form): + results = hook_runall("auth_create_user", register_form) + return results[0] + + +def extra_validation(register_form): + from mediagoblin.auth.tools import basic_extra_validation + + extra_validation_passes = basic_extra_validation(register_form) + if False in hook_runall("auth_extra_validation", register_form): + extra_validation_passes = False + return extra_validation_passes + + +def gen_password_hash(raw_pass, extra_salt=None): + return hook_handle("auth_gen_password_hash", raw_pass, extra_salt) + + +def check_password(raw_pass, stored_hash, extra_salt=None): + return hook_handle("auth_check_password", + raw_pass, stored_hash, extra_salt) diff --git a/mediagoblin/auth/forms.py b/mediagoblin/auth/forms.py deleted file mode 100644 index 33e1f45c..00000000 --- a/mediagoblin/auth/forms.py +++ /dev/null @@ -1,93 +0,0 @@ -# GNU MediaGoblin -- federated, autonomous media hosting -# Copyright (C) 2011, 2012 MediaGoblin contributors. See AUTHORS. -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Affero General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Affero General Public License for more details. -# -# You should have received a copy of the GNU Affero General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. - -import wtforms - -from mediagoblin.tools.mail import normalize_email -from mediagoblin.tools.translate import lazy_pass_to_ugettext as _ - -def normalize_user_or_email_field(allow_email=True, allow_user=True): - """Check if we were passed a field that matches a username and/or email pattern - - This is useful for fields that can take either a username or email - address. Use the parameters if you want to only allow a username for - instance""" - message = _(u'Invalid User name or email address.') - nomail_msg = _(u"This field does not take email addresses.") - nouser_msg = _(u"This field requires an email address.") - - def _normalize_field(form, field): - email = u'@' in field.data - if email: # normalize email address casing - if not allow_email: - raise wtforms.ValidationError(nomail_msg) - wtforms.validators.Email()(form, field) - field.data = normalize_email(field.data) - else: # lower case user names - if not allow_user: - raise wtforms.ValidationError(nouser_msg) - wtforms.validators.Length(min=3, max=30)(form, field) - wtforms.validators.Regexp(r'^\w+$')(form, field) - field.data = field.data.lower() - if field.data is None: # should not happen, but be cautious anyway - raise wtforms.ValidationError(message) - return _normalize_field - - -class RegistrationForm(wtforms.Form): - username = wtforms.TextField( - _('Username'), - [wtforms.validators.Required(), - normalize_user_or_email_field(allow_email=False)]) - password = wtforms.PasswordField( - _('Password'), - [wtforms.validators.Required(), - wtforms.validators.Length(min=5, max=1024)]) - email = wtforms.TextField( - _('Email address'), - [wtforms.validators.Required(), - normalize_user_or_email_field(allow_user=False)]) - - -class LoginForm(wtforms.Form): - username = wtforms.TextField( - _('Username or Email'), - [wtforms.validators.Required(), - normalize_user_or_email_field()]) - password = wtforms.PasswordField( - _('Password'), - [wtforms.validators.Required(), - wtforms.validators.Length(min=5, max=1024)]) - - -class ForgotPassForm(wtforms.Form): - username = wtforms.TextField( - _('Username or email'), - [wtforms.validators.Required(), - normalize_user_or_email_field()]) - - -class ChangePassForm(wtforms.Form): - password = wtforms.PasswordField( - 'Password', - [wtforms.validators.Required(), - wtforms.validators.Length(min=5, max=1024)]) - userid = wtforms.HiddenField( - '', - [wtforms.validators.Required()]) - token = wtforms.HiddenField( - '', - [wtforms.validators.Required()]) diff --git a/mediagoblin/auth/lib.py b/mediagoblin/auth/lib.py deleted file mode 100644 index 8829995a..00000000 --- a/mediagoblin/auth/lib.py +++ /dev/null @@ -1,155 +0,0 @@ -# GNU MediaGoblin -- federated, autonomous media hosting -# Copyright (C) 2011, 2012 MediaGoblin contributors. See AUTHORS. -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Affero General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Affero General Public License for more details. -# -# You should have received a copy of the GNU Affero General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. - -import random - -import bcrypt - -from mediagoblin.tools.mail import send_email -from mediagoblin.tools.template import render_template -from mediagoblin import mg_globals - - -def bcrypt_check_password(raw_pass, stored_hash, extra_salt=None): - """ - Check to see if this password matches. - - Args: - - raw_pass: user submitted password to check for authenticity. - - stored_hash: The hash of the raw password (and possibly extra - salt) to check against - - extra_salt: (optional) If this password is with stored with a - non-database extra salt (probably in the config file) for extra - security, factor this into the check. - - Returns: - True or False depending on success. - """ - if extra_salt: - raw_pass = u"%s:%s" % (extra_salt, raw_pass) - - hashed_pass = bcrypt.hashpw(raw_pass.encode('utf-8'), stored_hash) - - # Reduce risk of timing attacks by hashing again with a random - # number (thx to zooko on this advice, which I hopefully - # incorporated right.) - # - # See also: - rand_salt = bcrypt.gensalt(5) - randplus_stored_hash = bcrypt.hashpw(stored_hash, rand_salt) - randplus_hashed_pass = bcrypt.hashpw(hashed_pass, rand_salt) - - return randplus_stored_hash == randplus_hashed_pass - - -def bcrypt_gen_password_hash(raw_pass, extra_salt=None): - """ - Generate a salt for this new password. - - Args: - - raw_pass: user submitted password - - extra_salt: (optional) If this password is with stored with a - non-database extra salt - """ - if extra_salt: - raw_pass = u"%s:%s" % (extra_salt, raw_pass) - - return unicode( - bcrypt.hashpw(raw_pass.encode('utf-8'), bcrypt.gensalt())) - - -def fake_login_attempt(): - """ - Pretend we're trying to login. - - Nothing actually happens here, we're just trying to take up some - time, approximately the same amount of time as - bcrypt_check_password, so as to avoid figuring out what users are - on the system by intentionally faking logins a bunch of times. - """ - rand_salt = bcrypt.gensalt(5) - - hashed_pass = bcrypt.hashpw(str(random.random()), rand_salt) - - randplus_stored_hash = bcrypt.hashpw(str(random.random()), rand_salt) - randplus_hashed_pass = bcrypt.hashpw(hashed_pass, rand_salt) - - randplus_stored_hash == randplus_hashed_pass - - -EMAIL_VERIFICATION_TEMPLATE = ( - u"http://{host}{uri}?" - u"userid={userid}&token={verification_key}") - - -def send_verification_email(user, request): - """ - Send the verification email to users to activate their accounts. - - Args: - - user: a user object - - request: the request - """ - rendered_email = render_template( - request, 'mediagoblin/auth/verification_email.txt', - {'username': user.username, - 'verification_url': EMAIL_VERIFICATION_TEMPLATE.format( - host=request.host, - uri=request.urlgen('mediagoblin.auth.verify_email'), - userid=unicode(user.id), - verification_key=user.verification_key)}) - - # TODO: There is no error handling in place - send_email( - mg_globals.app_config['email_sender_address'], - [user.email], - # TODO - # Due to the distributed nature of GNU MediaGoblin, we should - # find a way to send some additional information about the - # specific GNU MediaGoblin instance in the subject line. For - # example "GNU MediaGoblin @ Wandborg - [...]". - 'GNU MediaGoblin - Verify your email!', - rendered_email) - - -EMAIL_FP_VERIFICATION_TEMPLATE = ( - u"http://{host}{uri}?" - u"userid={userid}&token={fp_verification_key}") - - -def send_fp_verification_email(user, request): - """ - Send the verification email to users to change their password. - - Args: - - user: a user object - - request: the request - """ - rendered_email = render_template( - request, 'mediagoblin/auth/fp_verification_email.txt', - {'username': user.username, - 'verification_url': EMAIL_FP_VERIFICATION_TEMPLATE.format( - host=request.host, - uri=request.urlgen('mediagoblin.auth.verify_forgot_password'), - userid=unicode(user.id), - fp_verification_key=user.fp_verification_key)}) - - # TODO: There is no error handling in place - send_email( - mg_globals.app_config['email_sender_address'], - [user.email], - 'GNU MediaGoblin - Change forgotten password!', - rendered_email) diff --git a/mediagoblin/auth/routing.py b/mediagoblin/auth/routing.py index 2a6abb47..7a688a49 100644 --- a/mediagoblin/auth/routing.py +++ b/mediagoblin/auth/routing.py @@ -25,9 +25,4 @@ auth_routes = [ ('mediagoblin.auth.verify_email', '/verify_email/', 'mediagoblin.auth.views:verify_email'), ('mediagoblin.auth.resend_verification', '/resend_verification/', - 'mediagoblin.auth.views:resend_activation'), - ('mediagoblin.auth.forgot_password', '/forgot_password/', - 'mediagoblin.auth.views:forgot_password'), - ('mediagoblin.auth.verify_forgot_password', - '/forgot_password/verify/', - 'mediagoblin.auth.views:verify_forgot_password')] + 'mediagoblin.auth.views:resend_activation')] diff --git a/mediagoblin/auth/tools.py b/mediagoblin/auth/tools.py new file mode 100644 index 00000000..88716e1c --- /dev/null +++ b/mediagoblin/auth/tools.py @@ -0,0 +1,191 @@ +# GNU MediaGoblin -- federated, autonomous media hosting +# Copyright (C) 2011, 2012 MediaGoblin contributors. See AUTHORS. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + + +import logging +import wtforms +from sqlalchemy import or_ + +from mediagoblin import mg_globals +from mediagoblin.tools.crypto import get_timed_signer_url +from mediagoblin.db.models import User, Privilege +from mediagoblin.tools.mail import (normalize_email, send_email, + email_debug_message) +from mediagoblin.tools.template import render_template +from mediagoblin.tools.translate import lazy_pass_to_ugettext as _ +from mediagoblin.tools.pluginapi import hook_handle +from mediagoblin import auth + +_log = logging.getLogger(__name__) + + +def normalize_user_or_email_field(allow_email=True, allow_user=True): + """ + Check if we were passed a field that matches a username and/or email + pattern. + + This is useful for fields that can take either a username or email + address. Use the parameters if you want to only allow a username for + instance""" + message = _(u'Invalid User name or email address.') + nomail_msg = _(u"This field does not take email addresses.") + nouser_msg = _(u"This field requires an email address.") + + def _normalize_field(form, field): + email = u'@' in field.data + if email: # normalize email address casing + if not allow_email: + raise wtforms.ValidationError(nomail_msg) + wtforms.validators.Email()(form, field) + field.data = normalize_email(field.data) + else: # lower case user names + if not allow_user: + raise wtforms.ValidationError(nouser_msg) + wtforms.validators.Length(min=3, max=30)(form, field) + wtforms.validators.Regexp(r'^\w+$')(form, field) + field.data = field.data.lower() + if field.data is None: # should not happen, but be cautious anyway + raise wtforms.ValidationError(message) + return _normalize_field + + +EMAIL_VERIFICATION_TEMPLATE = ( + u"{uri}?" + u"token={verification_key}") + + +def send_verification_email(user, request, email=None, + rendered_email=None): + """ + Send the verification email to users to activate their accounts. + + Args: + - user: a user object + - request: the request + """ + if not email: + email = user.email + + if not rendered_email: + verification_key = get_timed_signer_url('mail_verification_token') \ + .dumps(user.id) + rendered_email = render_template( + request, 'mediagoblin/auth/verification_email.txt', + {'username': user.username, + 'verification_url': EMAIL_VERIFICATION_TEMPLATE.format( + uri=request.urlgen('mediagoblin.auth.verify_email', + qualified=True), + verification_key=verification_key)}) + + # TODO: There is no error handling in place + send_email( + mg_globals.app_config['email_sender_address'], + [email], + # TODO + # Due to the distributed nature of GNU MediaGoblin, we should + # find a way to send some additional information about the + # specific GNU MediaGoblin instance in the subject line. For + # example "GNU MediaGoblin @ Wandborg - [...]". + 'GNU MediaGoblin - Verify your email!', + rendered_email) + + +def basic_extra_validation(register_form, *args): + users_with_username = User.query.filter_by( + username=register_form.username.data).count() + users_with_email = User.query.filter_by( + email=register_form.email.data).count() + + extra_validation_passes = True + + if users_with_username: + register_form.username.errors.append( + _(u'Sorry, a user with that name already exists.')) + extra_validation_passes = False + if users_with_email: + register_form.email.errors.append( + _(u'Sorry, a user with that email address already exists.')) + extra_validation_passes = False + + return extra_validation_passes + + +def register_user(request, register_form): + """ Handle user registration """ + extra_validation_passes = auth.extra_validation(register_form) + + if extra_validation_passes: + # Create the user + user = auth.create_user(register_form) + + # give the user the default privileges + default_privileges = [ + Privilege.query.filter(Privilege.privilege_name==u'commenter').first(), + Privilege.query.filter(Privilege.privilege_name==u'uploader').first(), + Privilege.query.filter(Privilege.privilege_name==u'reporter').first()] + user.all_privileges += default_privileges + user.save() + + # log the user in + request.session['user_id'] = unicode(user.id) + request.session.save() + + # send verification email + email_debug_message(request) + send_verification_email(user, request) + + return user + + return None + + +def check_login_simple(username, password): + user = auth.get_user(username=username) + if not user: + _log.info("User %r not found", username) + hook_handle("auth_fake_login_attempt") + return None + if not auth.check_password(password, user.pw_hash): + _log.warn("Wrong password for %r", username) + return None + _log.info("Logging %r in", username) + return user + + +def check_auth_enabled(): + if not hook_handle('authentication'): + _log.warning('No authentication is enabled') + return False + else: + return True + + +def no_auth_logout(request): + """ + Log out the user if no authentication is enabled, but don't delete + the messages + """ + if not mg_globals.app.auth and 'user_id' in request.session: + del request.session['user_id'] + request.session.save() + + +def create_basic_user(form): + user = User() + user.username = form.username.data + user.email = form.email.data + user.save() + return user diff --git a/mediagoblin/auth/views.py b/mediagoblin/auth/views.py index dc408911..3d132f84 100644 --- a/mediagoblin/auth/views.py +++ b/mediagoblin/auth/views.py @@ -14,82 +14,43 @@ # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. -import uuid -import datetime +from itsdangerous import BadSignature from mediagoblin import messages, mg_globals -from mediagoblin.db.models import User +from mediagoblin.db.models import User, Privilege +from mediagoblin.tools.crypto import get_timed_signer_url +from mediagoblin.decorators import auth_enabled, allow_registration from mediagoblin.tools.response import render_to_response, redirect, render_404 from mediagoblin.tools.translate import pass_to_ugettext as _ -from mediagoblin.auth import lib as auth_lib -from mediagoblin.auth import forms as auth_forms -from mediagoblin.auth.lib import send_verification_email, \ - send_fp_verification_email -from sqlalchemy import or_ - -def email_debug_message(request): - """ - If the server is running in email debug mode (which is - the current default), give a debug message to the user - so that they have an idea where to find their email. - """ - if mg_globals.app_config['email_debug_mode']: - # DEBUG message, no need to translate - messages.add_message(request, messages.DEBUG, - u"This instance is running in email debug mode. " - u"The email will be on the console of the server process.") +from mediagoblin.tools.mail import email_debug_message +from mediagoblin.tools.pluginapi import hook_handle +from mediagoblin.auth.tools import (send_verification_email, register_user, + check_login_simple) +@allow_registration +@auth_enabled def register(request): """The registration view. Note that usernames will always be lowercased. Email domains are lowercased while the first part remains case-sensitive. """ - # Redirects to indexpage if registrations are disabled - if not mg_globals.app_config["allow_registration"]: - messages.add_message( - request, - messages.WARNING, - _('Sorry, registration is disabled on this instance.')) - return redirect(request, "index") + if 'pass_auth' not in request.template_env.globals: + redirect_name = hook_handle('auth_no_pass_redirect') + if redirect_name: + return redirect(request, 'mediagoblin.plugins.{0}.register'.format( + redirect_name)) + else: + return redirect(request, 'index') - register_form = auth_forms.RegistrationForm(request.form) + register_form = hook_handle("auth_get_registration_form", request) if request.method == 'POST' and register_form.validate(): # TODO: Make sure the user doesn't exist already - users_with_username = User.query.filter_by(username=register_form.data['username']).count() - users_with_email = User.query.filter_by(email=register_form.data['email']).count() - - extra_validation_passes = True - - if users_with_username: - register_form.username.errors.append( - _(u'Sorry, a user with that name already exists.')) - extra_validation_passes = False - if users_with_email: - register_form.email.errors.append( - _(u'Sorry, a user with that email address already exists.')) - extra_validation_passes = False - - if extra_validation_passes: - # Create the user - user = User() - user.username = register_form.data['username'] - user.email = register_form.data['email'] - user.pw_hash = auth_lib.bcrypt_gen_password_hash( - register_form.password.data) - user.verification_key = unicode(uuid.uuid4()) - user.save() - - # log the user in - request.session['user_id'] = unicode(user.id) - request.session.save() - - # send verification email - email_debug_message(request) - send_verification_email(user, request) + user = register_user(request, register_form) + if user: # redirect the user to their homepage... there will be a # message waiting for them to verify their email return redirect( @@ -99,33 +60,39 @@ def register(request): return render_to_response( request, 'mediagoblin/auth/register.html', - {'register_form': register_form}) + {'register_form': register_form, + 'post_url': request.urlgen('mediagoblin.auth.register')}) +@auth_enabled def login(request): """ MediaGoblin login view. If you provide the POST with 'next', it'll redirect to that view. """ - login_form = auth_forms.LoginForm(request.form) + if 'pass_auth' not in request.template_env.globals: + redirect_name = hook_handle('auth_no_pass_redirect') + if redirect_name: + return redirect(request, 'mediagoblin.plugins.{0}.login'.format( + redirect_name)) + else: + return redirect(request, 'index') + + login_form = hook_handle("auth_get_login_form", request) login_failed = False if request.method == 'POST': - - username = login_form.data['username'] + username = login_form.username.data if login_form.validate(): - user = User.query.filter( - or_( - User.username == username, - User.email == username, - - )).first() + user = check_login_simple(username, login_form.password.data) - if user and user.check_login(login_form.password.data): + if user: # set up login in session + if login_form.stay_logged_in.data: + request.session['stay_logged_in'] = True request.session['user_id'] = unicode(user.id) request.session.save() @@ -134,10 +101,6 @@ def login(request): else: return redirect(request, "index") - # Some failure during login occured if we are here! - # Prevent detecting who's on this system by testing login - # attempt timings - auth_lib.fake_login_attempt() login_failed = True return render_to_response( @@ -146,6 +109,7 @@ def login(request): {'login_form': login_form, 'next': request.GET.get('next') or request.form.get('next'), 'login_failed': login_failed, + 'post_url': request.urlgen('mediagoblin.auth.login'), 'allow_registration': mg_globals.app_config["allow_registration"]}) @@ -164,15 +128,30 @@ def verify_email(request): you are lucky :) """ # If we don't have userid and token parameters, we can't do anything; 404 - if not 'userid' in request.GET or not 'token' in request.GET: + if not 'token' in request.GET: return render_404(request) - user = User.query.filter_by(id=request.args['userid']).first() + # Catch error if token is faked or expired + try: + token = get_timed_signer_url("mail_verification_token") \ + .loads(request.GET['token'], max_age=10*24*3600) + except BadSignature: + messages.add_message( + request, + messages.ERROR, + _('The verification key or user id is incorrect.')) - if user and user.verification_key == unicode(request.GET['token']): - user.status = u'active' - user.email_verified = True + return redirect( + request, + 'index') + + user = User.query.filter_by(id=int(token)).first() + + if user and user.has_privilege(u'active') is False: user.verification_key = None + user.all_privileges.append( + Privilege.query.filter( + Privilege.privilege_name==u'active').first()) user.save() @@ -207,7 +186,7 @@ def resend_activation(request): return redirect(request, 'mediagoblin.auth.login') - if request.user.email_verified: + if request.user.has_privilege(u'active'): messages.add_message( request, messages.ERROR, @@ -215,9 +194,6 @@ def resend_activation(request): return redirect(request, "mediagoblin.user_pages.user_home", user=request.user['username']) - request.user.verification_key = unicode(uuid.uuid4()) - request.user.save() - email_debug_message(request) send_verification_email(request.user, request) @@ -228,141 +204,3 @@ def resend_activation(request): return redirect( request, 'mediagoblin.user_pages.user_home', user=request.user.username) - - -def forgot_password(request): - """ - Forgot password view - - Sends an email with an url to renew forgotten password. - Use GET querystring parameter 'username' to pre-populate the input field - """ - fp_form = auth_forms.ForgotPassForm(request.form, - username=request.args.get('username')) - - if not (request.method == 'POST' and fp_form.validate()): - # Either GET request, or invalid form submitted. Display the template - return render_to_response(request, - 'mediagoblin/auth/forgot_password.html', {'fp_form': fp_form}) - - # If we are here: method == POST and form is valid. username casing - # has been sanitized. Store if a user was found by email. We should - # not reveal if the operation was successful then as we don't want to - # leak if an email address exists in the system. - found_by_email = '@' in fp_form.username.data - - if found_by_email: - user = User.query.filter_by( - email = fp_form.username.data).first() - # Don't reveal success in case the lookup happened by email address. - success_message=_("If that email address (case sensitive!) is " - "registered an email has been sent with instructions " - "on how to change your password.") - - else: # found by username - user = User.query.filter_by( - username = fp_form.username.data).first() - - if user is None: - messages.add_message(request, - messages.WARNING, - _("Couldn't find someone with that username.")) - return redirect(request, 'mediagoblin.auth.forgot_password') - - success_message=_("An email has been sent with instructions " - "on how to change your password.") - - if user and not(user.email_verified and user.status == 'active'): - # Don't send reminder because user is inactive or has no verified email - messages.add_message(request, - messages.WARNING, - _("Could not send password recovery email as your username is in" - "active or your account's email address has not been verified.")) - - return redirect(request, 'mediagoblin.user_pages.user_home', - user=user.username) - - # SUCCESS. Send reminder and return to login page - if user: - user.fp_verification_key = unicode(uuid.uuid4()) - user.fp_token_expire = datetime.datetime.now() + \ - datetime.timedelta(days=10) - user.save() - - email_debug_message(request) - send_fp_verification_email(user, request) - - messages.add_message(request, messages.INFO, success_message) - return redirect(request, 'mediagoblin.auth.login') - - -def verify_forgot_password(request): - """ - Check the forgot-password verification and possibly let the user - change their password because of it. - """ - # get form data variables, and specifically check for presence of token - formdata = _process_for_token(request) - if not formdata['has_userid_and_token']: - return render_404(request) - - formdata_token = formdata['vars']['token'] - formdata_userid = formdata['vars']['userid'] - formdata_vars = formdata['vars'] - - # check if it's a valid user id - user = User.query.filter_by(id=formdata_userid).first() - if not user: - return render_404(request) - - # check if we have a real user and correct token - if ((user and user.fp_verification_key and - user.fp_verification_key == unicode(formdata_token) and - datetime.datetime.now() < user.fp_token_expire - and user.email_verified and user.status == 'active')): - - cp_form = auth_forms.ChangePassForm(formdata_vars) - - if request.method == 'POST' and cp_form.validate(): - user.pw_hash = auth_lib.bcrypt_gen_password_hash( - cp_form.password.data) - user.fp_verification_key = None - user.fp_token_expire = None - user.save() - - messages.add_message( - request, - messages.INFO, - _("You can now log in using your new password.")) - return redirect(request, 'mediagoblin.auth.login') - else: - return render_to_response( - request, - 'mediagoblin/auth/change_fp.html', - {'cp_form': cp_form}) - - # in case there is a valid id but no user with that id in the db - # or the token expired - else: - return render_404(request) - - -def _process_for_token(request): - """ - Checks for tokens in formdata without prior knowledge of request method - - For now, returns whether the userid and token formdata variables exist, and - the formdata variables in a hash. Perhaps an object is warranted? - """ - # retrieve the formdata variables - if request.method == 'GET': - formdata_vars = request.GET - else: - formdata_vars = request.form - - formdata = { - 'vars': formdata_vars, - 'has_userid_and_token': - 'userid' in formdata_vars and 'token' in formdata_vars} - - return formdata |