Removing the "enter your password to change your email" bit.

A good idea, though it feels fairly clumsy in the form, and I think if
you're logged in you can already sabotage the user pretty well.

This commit sponsored by Sergey Matveev.  Thanks!

mediagoblin/edit/forms.py

@@ -65,12 +65,6 @@ class EditAccountForm(wtforms.Form):
         _('New email address'),
         [wtforms.validators.Optional(),
          normalize_user_or_email_field(allow_user=False)])
-    password = wtforms.PasswordField(
-        _('Password'),
-        [wtforms.validators.Optional(),
-         wtforms.validators.Length(min=5, max=1024)],
-        description=_(
-            'Enter your old password to prove you own this account.'))
     license_preference = wtforms.SelectField(
         _('License preference'),
         [

mediagoblin/edit/views.py

@@ -236,38 +236,30 @@ def edit_account(request):
         user.license_preference = form.license_preference.data
 
         if form.new_email.data:
-            if not form.password.data:
-                form.password.errors.append(
-                    _('This field is required.'))
-            elif not auth_lib.bcrypt_check_password(
-                    form.password.data, user.pw_hash):
-                form.password.errors.append(
-                    _('Wrong password.'))
+            new_email = form.new_email.data
+            users_with_email = User.query.filter_by(
+                email=new_email).count()
+            if users_with_email:
+                form.new_email.errors.append(
+                    _('Sorry, a user with that email address'
+                      ' already exists.'))
             else:
-                new_email = form.new_email.data
-                users_with_email = User.query.filter_by(
-                    email=new_email).count()
-                if users_with_email:
-                    form.new_email.errors.append(
-                        _('Sorry, a user with that email address'
-                          ' already exists.'))
-                else:
-                    verification_key = get_timed_signer_url(
-                        'mail_verification_token').dumps({
-                            'user': user.id,
-                            'email': new_email})
+                verification_key = get_timed_signer_url(
+                    'mail_verification_token').dumps({
+                        'user': user.id,
+                        'email': new_email})
 
-                    rendered_email = render_template(
-                        request, 'mediagoblin/edit/verification.txt',
-                        {'username': user.username,
-                         'verification_url': EMAIL_VERIFICATION_TEMPLATE.format(
-                            uri=request.urlgen('mediagoblin.edit.verify_email',
-                                               qualified=True),
-                            verification_key=verification_key)})
+                rendered_email = render_template(
+                    request, 'mediagoblin/edit/verification.txt',
+                    {'username': user.username,
+                     'verification_url': EMAIL_VERIFICATION_TEMPLATE.format(
+                        uri=request.urlgen('mediagoblin.edit.verify_email',
+                                           qualified=True),
+                        verification_key=verification_key)})
 
-                    email_debug_message(request)
-                    auth_tools.send_verification_email(user, request, new_email,
-                                                     rendered_email)
+                email_debug_message(request)
+                auth_tools.send_verification_email(user, request, new_email,
+                                                 rendered_email)
 
         if not form.errors:
             user.save()

mediagoblin/templates/mediagoblin/edit/edit_account.html

@@ -47,7 +47,6 @@
         </a>
       </p>
       {{ wtforms_util.render_field_div(form.new_email) }}
-      {{ wtforms_util.render_field_div(form.password) }}
       <div class="form_field_input">
         <p>{{ form.wants_comment_notification }}
            {{ wtforms_util.render_label(form.wants_comment_notification) }}</p>

mediagoblin/tests/test_edit.py

@@ -144,31 +144,6 @@ class TestUserEdit(object):
     def test_email_change(self, test_app):
         self.login(test_app)
 
-        # Test email change without password
-        template.clear_test_template_context()
-        test_app.post(
-            '/edit/account/', {
-                'new_email': 'new@example.com'})
-
-        # Check form errors
-        context = template.TEMPLATE_TEST_CONTEXT[
-            'mediagoblin/edit/edit_account.html']
-        assert context['form'].password.errors == [
-            u'This field is required.']
-
-        # Test email change with wrong password
-        template.clear_test_template_context()
-        test_app.post(
-            '/edit/account/', {
-                'new_email': 'new@example.com',
-                'password': 'wrong'})
-
-        # Check form errors
-        context = template.TEMPLATE_TEST_CONTEXT[
-            'mediagoblin/edit/edit_account.html']
-        assert context['form'].password.errors == [
-            u'Wrong password.']
-
         # Test email already in db
         template.clear_test_template_context()
         test_app.post(
@@ -182,19 +157,6 @@ class TestUserEdit(object):
         assert context['form'].new_email.errors == [
             u'Sorry, a user with that email address already exists.']
 
-        # Test password is too short
-        template.clear_test_template_context()
-        test_app.post(
-            '/edit/account/', {
-                'new_email': 'new@example.com',
-                'password': 't'})
-
-        # Check form errors
-        context = template.TEMPLATE_TEST_CONTEXT[
-            'mediagoblin/edit/edit_account.html']
-        assert context['form'].password.errors == [
-            u'Field must be between 5 and 1024 characters long.']
-
         # Test successful email change
         template.clear_test_template_context()
         res = test_app.post(