def GET(self, uid, token):
# artificial delay (to slow down brute force attacks)
sleep(0.5)
try:
user = auth.get_user(user_id=uid, with_password=True)
if not user or not check_token(user, token,
auth.config.reset_expire_after):
raise AuthError
return render.auth.reset_change(passwordChangeForm)
except AuthError:
flash.set(_(reset_text))
raise web.seeother("/")
def POST(self):
form = passwordResetForm()
if form.validates():
try:
user = auth.get_user(email=form.d.email, with_password=True)
token_url = "%s%s/%s$%s" % (web.ctx.home, "/password_reset",
user.id, make_token(user))
mailer.send(
user.email,
render_email.password_reset(user, token_url),
send_now=True,
is_secure=True,
)
flash.set(_(sent_text))
raise web.seeother("/")
except IndexError:
form.note = _(email_doesnt_exist_text)
return render.auth.reset_token(form)
def POST(self, uid, token):
# artificial delay (to slow down brute force attacks)
sleep(0.5)
form = passwordChangeForm(web.input())
if form.valid:
try:
user = auth.get_user(user_id=uid, with_password=True)
if not user or not check_token(user, token,
auth.config.reset_expire_after):
raise AuthError
auth.set_password(user.email, form.d.password)
auth.login(user)
flash.set(_(changed_text))
except AuthError:
flash.set(_(reset_text))
raise web.seeother("/")
else:
return render.auth.reset_change(form)
def GET(self, user_id, method):
user = auth.get_user(user_id=user_id, is_deleted=True)
if user.id != auth.get_user().id:
auth.update_user(user.id, is_deleted=method == "delete")
if method == "delete":
flash.set(_(undo_user_text) %
link_to("users", user, "undelete"))
applog.info(_(deleted_user_text) %
user.title, "users", user.id, "warn")
else:
flash.set(_(undelete_user_text))
applog.info(undeleted_user_text %
user.title, "users", user.id, "warn")
auth.delete_session(user.id)
else:
flash.set(_(cannot_delete_self_text), "error")
raise web.seeother("/a/users")