1 files changed, 158 insertions, 0 deletions

diff --git a/mediagoblin/auth/views.py b/mediagoblin/auth/views.py
index 285bddf6..8563195f 100644
--- a/mediagoblin/auth/views.py
+++ b/mediagoblin/auth/views.py
@@ -201,3 +201,161 @@ def resend_activation(request):
     return redirect(
         request, 'mediagoblin.user_pages.user_home',
         user=request.user.username)
+
+
+def forgot_password(request):
+    """
+    Forgot password view
+
+    Sends an email with an url to renew forgotten password.
+    Use GET querystring parameter 'username' to pre-populate the input field
+    """
+    if not 'pass_auth' in request.template_env.globals:
+        return redirect(request, 'index')
+
+    fp_form = auth_forms.ForgotPassForm(request.form,
+                                        username=request.args.get('username'))
+
+    if not (request.method == 'POST' and fp_form.validate()):
+        # Either GET request, or invalid form submitted. Display the template
+        return render_to_response(request,
+            'mediagoblin/auth/forgot_password.html', {'fp_form': fp_form,})
+
+    # If we are here: method == POST and form is valid. username casing
+    # has been sanitized. Store if a user was found by email. We should
+    # not reveal if the operation was successful then as we don't want to
+    # leak if an email address exists in the system.
+    found_by_email = '@' in fp_form.username.data
+
+    if found_by_email:
+        user = User.query.filter_by(
+            email = fp_form.username.data).first()
+        # Don't reveal success in case the lookup happened by email address.
+        success_message=_("If that email address (case sensitive!) is "
+                          "registered an email has been sent with instructions "
+                          "on how to change your password.")
+
+    else: # found by username
+        user = User.query.filter_by(
+            username = fp_form.username.data).first()
+
+        if user is None:
+            messages.add_message(request,
+                                 messages.WARNING,
+                                 _("Couldn't find someone with that username."))
+            return redirect(request, 'mediagoblin.auth.forgot_password')
+
+        success_message=_("An email has been sent with instructions "
+                          "on how to change your password.")
+
+    if user and not(user.email_verified and user.status == 'active'):
+        # Don't send reminder because user is inactive or has no verified email
+        messages.add_message(request,
+            messages.WARNING,
+            _("Could not send password recovery email as your username is in"
+              "active or your account's email address has not been verified."))
+
+        return redirect(request, 'mediagoblin.user_pages.user_home',
+                        user=user.username)
+
+    # SUCCESS. Send reminder and return to login page
+    if user:
+        email_debug_message(request)
+        send_fp_verification_email(user, request)
+
+    messages.add_message(request, messages.INFO, success_message)
+    return redirect(request, 'mediagoblin.auth.login')
+
+
+def verify_forgot_password(request):
+    """
+    Check the forgot-password verification and possibly let the user
+    change their password because of it.
+    """
+    # get form data variables, and specifically check for presence of token
+    formdata = _process_for_token(request)
+    if not formdata['has_token']:
+        return render_404(request)
+
+    formdata_vars = formdata['vars']
+
+    # Catch error if token is faked or expired
+    try:
+        token = get_timed_signer_url("mail_verification_token") \
+                .loads(formdata_vars['token'], max_age=10*24*3600)
+    except BadSignature:
+        messages.add_message(
+            request,
+            messages.ERROR,
+            _('The verification key or user id is incorrect.'))
+
+        return redirect(
+            request,
+            'index')
+
+    # check if it's a valid user id
+    user = User.query.filter_by(id=int(token)).first()
+
+    # no user in db
+    if not user:
+        messages.add_message(
+            request, messages.ERROR,
+            _('The user id is incorrect.'))
+        return redirect(
+            request, 'index')
+
+    # check if user active and has email verified
+    if user.email_verified and user.status == 'active':
+
+        cp_form = auth_forms.ChangePassForm(formdata_vars)
+
+        if request.method == 'POST' and cp_form.validate():
+            user.pw_hash = auth.gen_password_hash(
+                cp_form.password.data)
+            user.save()
+
+            messages.add_message(
+                request,
+                messages.INFO,
+                _("You can now log in using your new password."))
+            return redirect(request, 'mediagoblin.auth.login')
+        else:
+            return render_to_response(
+                request,
+                'mediagoblin/auth/change_fp.html',
+                {'cp_form': cp_form,})
+
+    if not user.email_verified:
+        messages.add_message(
+            request, messages.ERROR,
+            _('You need to verify your email before you can reset your'
+              ' password.'))
+
+    if not user.status == 'active':
+        messages.add_message(
+            request, messages.ERROR,
+            _('You are no longer an active user. Please contact the system'
+              ' admin to reactivate your account.'))
+
+    return redirect(
+        request, 'index')
+
+
+def _process_for_token(request):
+    """
+    Checks for tokens in formdata without prior knowledge of request method
+
+    For now, returns whether the userid and token formdata variables exist, and
+    the formdata variables in a hash. Perhaps an object is warranted?
+    """
+    # retrieve the formdata variables
+    if request.method == 'GET':
+        formdata_vars = request.GET
+    else:
+        formdata_vars = request.form
+
+    formdata = {
+        'vars': formdata_vars,
+        'has_token': 'token' in formdata_vars}
+
+    return formdata