heckyel/mediagoblin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactors verify_forgot_password

Browse Source
This commit is contained in:
Caleb Forbes Davis V 2011-09-05 14:02:23 -05:00
parent e1105f5dcb
commit 8d1c9863b6
1 changed files with 54 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

111
mediagoblin/auth/views.py
View File

@ -222,62 +222,59 @@ def forgot_password(request):
def verify_forgot_password(request): def verify_forgot_password(request):
# get session variables, and specifically check for presence of token
mysession = _process_for_token(request)
if not mysession['token_complete']:
return render_404(request)
session_token = mysession['vars']['token']
session_userid = mysession['vars']['userid']
session_vars = mysession['vars']
# check if it's a valid Id
try:
user = request.db.User.find_one(
{'_id': ObjectId(unicode(session_userid))})
except InvalidId:
return render_404(request)
# check if we have a real user and correct token
if (user and user['fp_verification_key'] == unicode(session_token) and
datetime.datetime.now() < user['fp_token_expire']):
cp_form = auth_forms.ChangePassForm(session_vars)
if request.method == 'POST' and cp_form.validate():
user['pw_hash'] = auth_lib.bcrypt_gen_password_hash(
request.POST['password'])
user['fp_verification_key'] = None
user['fp_token_expire'] = None
user.save()
return redirect(request, 'mediagoblin.auth.fp_changed_success')
else:
return render_to_response(request,
'mediagoblin/auth/change_fp.html',
{'cp_form': cp_form})
# in case there is a valid id but no user whit that id in the db
# or the token expired
else:
return render_404(request)
def _process_for_token(request):
"""
Checks for tokens in session without prior knowledge of request method
For now, returns whether the userid and token session variables exist, and
the session variables in a hash. Perhaps an object is warranted?
"""
# retrieve the session variables
if request.method == 'GET': if request.method == 'GET':
# If we don't have userid and token parameters, we can't do anything;404 session_vars = request.GET
if (not request.GET.has_key('userid') or else:
not request.GET.has_key('token')): session_vars = request.POST
return render_404(request)
# check if it's a valid Id mysession = {'vars': session_vars,
try: 'token_complete': session_vars.has_key('userid') and
user = request.db.User.find_one( session_vars.has_key('token')}
{'_id': ObjectId(unicode(request.GET['userid']))}) return mysession
except InvalidId:
return render_404(request)
# check if we have a real user and correct token
if (user and
user['fp_verification_key'] == unicode(request.GET['token']) and
datetime.datetime.now() < user['fp_token_expire']):
cp_form = auth_forms.ChangePassForm(request.GET)
return render_to_response(
request,
'mediagoblin/auth/change_fp.html',
{'cp_form': cp_form})
# in case there is a valid id but no user whit that id in the db
# or the token expired
else:
return render_404(request)
if request.method == 'POST':
# verification doing here to prevent POST values modification
try:
user = request.db.User.find_one(
{'_id': ObjectId(unicode(request.POST['userid']))})
except InvalidId:
return render_404(request)
cp_form = auth_forms.ChangePassForm(request.POST)
# verification doing here to prevent POST values modification
# if token and id are correct they are able to change their password
if (user and
user['fp_verification_key'] == unicode(request.POST['token']) and
datetime.datetime.now() < user['fp_token_expire']):
if cp_form.validate():
user['pw_hash'] = auth_lib.bcrypt_gen_password_hash(
request.POST['password'])
user['fp_verification_key'] = None
user['fp_token_expire'] = None
user.save()
return redirect(request,
'mediagoblin.auth.fp_changed_success')
else:
return render_to_response(
request,
'mediagoblin/auth/change_fp.html',
{'cp_form': cp_form})
else:
return render_404(request)