From b3c4cbd5c16d07937fb9486a88deec29f8aaeb0d Mon Sep 17 00:00:00 2001
From: Rodney Ewing <ewing.rj@gmail.com>
Date: Mon, 8 Jul 2013 16:27:43 -0700
Subject: [PATCH 1/3] only check password if there is a store_hash

---
 mediagoblin/plugins/basic_auth/__init__.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/mediagoblin/plugins/basic_auth/__init__.py b/mediagoblin/plugins/basic_auth/__init__.py
index c16d8855..33a554b0 100644
--- a/mediagoblin/plugins/basic_auth/__init__.py
+++ b/mediagoblin/plugins/basic_auth/__init__.py
@@ -59,7 +59,10 @@ def gen_password_hash(raw_pass, extra_salt=None):
 
 
 def check_password(raw_pass, stored_hash, extra_salt=None):
-    return auth_tools.bcrypt_check_password(raw_pass, stored_hash, extra_salt)
+    if stored_hash:
+        return auth_tools.bcrypt_check_password(raw_pass,
+                                                stored_hash, extra_salt)
+    return None
 
 
 def auth():

From 05ceada051dad011bb9b3e1c93fb42b2d9875939 Mon Sep 17 00:00:00 2001
From: Rodney Ewing <ewing.rj@gmail.com>
Date: Wed, 10 Jul 2013 10:37:13 -0700
Subject: [PATCH 2/3] remove the list from response.vary. not sure why I was
 getting an error using openid without it, but everything seems to be working
 fine now

---
 mediagoblin/meddleware/csrf.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mediagoblin/meddleware/csrf.py b/mediagoblin/meddleware/csrf.py
index 44d42d75..661f0ba2 100644
--- a/mediagoblin/meddleware/csrf.py
+++ b/mediagoblin/meddleware/csrf.py
@@ -111,7 +111,7 @@ class CsrfMeddleware(BaseMeddleware):
             httponly=True)
 
         # update the Vary header
-        response.vary = list(getattr(response, 'vary', None) or []) + ['Cookie']
+        response.vary = (getattr(response, 'vary', None) or []) + ['Cookie']
 
     def _make_token(self, request):
         """Generate a new token to use for CSRF protection."""

From 537ce5973aef0c392be620d24993831812515df5 Mon Sep 17 00:00:00 2001
From: Rodney Ewing <ewing.rj@gmail.com>
Date: Wed, 10 Jul 2013 11:08:28 -0700
Subject: [PATCH 3/3] need to use .get('messages') to not get a keyerror

---
 mediagoblin/plugins/openid/views.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mediagoblin/plugins/openid/views.py b/mediagoblin/plugins/openid/views.py
index 9566e38e..b639a4cb 100644
--- a/mediagoblin/plugins/openid/views.py
+++ b/mediagoblin/plugins/openid/views.py
@@ -342,7 +342,7 @@ def delete_openid(request):
             form.openid.errors.append(
                 _('That OpenID is not registered to this account.'))
 
-        if not form.errors and not request.session['messages']:
+        if not form.errors and not request.session.get('messages'):
             # Okay to continue with deleting openid
             return_to = request.urlgen(
                 'mediagoblin.plugins.openid.finish_delete')