Restructure ForgotPassword view

1) Remove mongo limitations (no 'or' when querying for either username
or email).

2) Lost password function revealed if an user name or email address
   is registered, which can be considered a data leak.
   Leaking user names is OK, they are public anyway, but don't reveal
   lookup success in case the lookup happened by email address.
   Simply respond: "If you have an account here, we have send you
                    your email"?

3) username and email search was case sensitive. Made username search
   case insensitive (they are always stored lowercase in the db).
   Keep email-address search case sensitive for now. This might need
   further discussion

4) Remove a whole bunch of indention in the style of:
   if no error:
        ...
        if no error:
            ...
            if no error:
                actually do something in the regular case

   by restructuring the function.

5) Outsource the sanity checking for username and email fields into the
   validator function. This way, we get automatic case sanity checking
   and sanitizing for all required fields.

6) Require 5-char password and fix tests

   Originally, the Change password form required a password between 6-30
   chars while the registration and login form did not require anything
   special. This commit introduces a common minimum limit for all forms
   which breaks the test suite which uses a 5 char password by
   default. :-).  As 5 chars seem sensible enough to enforce (people
   should be picking much longer ones anyway), just reduce the limit to
   5 chars, thereby making all tests pass.

Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>

mediagoblin/tests/test_auth.py

@@ -105,10 +105,8 @@ def test_register_views(test_app):
     context = template.TEMPLATE_TEST_CONTEXT['mediagoblin/auth/register.html']
     form = context['register_form']
 
-    assert form.username.errors == [
-        u'Field must be between 3 and 30 characters long.']
-    assert form.password.errors == [
-        u'Field must be between 6 and 30 characters long.']
+    assert_equal (form.username.errors, [u'Field must be between 3 and 30 characters long.'])
+    assert_equal (form.password.errors, [u'Field must be between 5 and 1024 characters long.'])
 
     ## bad form
     template.clear_test_template_context()
@@ -119,10 +117,8 @@ def test_register_views(test_app):
     context = template.TEMPLATE_TEST_CONTEXT['mediagoblin/auth/register.html']
     form = context['register_form']
 
-    assert form.username.errors == [
-        u'Invalid input.']
-    assert form.email.errors == [
-        u'Invalid email address.']
+    assert_equal (form.username.errors, [u'This field does not take email addresses.'])
+    assert_equal (form.email.errors, [u'This field requires an email address.'])
 
     ## At this point there should be no users in the database ;)
     assert_equal(User.query.count(), 0)
@@ -370,7 +366,7 @@ def test_authentication_views():
     response = test_app.post(
         '/auth/login/', {
             'username': u'chris',
-            'password': 'jam'})
+            'password': 'jam_and_ham'})
     context = template.TEMPLATE_TEST_CONTEXT['mediagoblin/auth/login.html']
     assert context['login_failed']