def change_email():
email_address = request.form.get("email_address").strip()[:100]
if not email_address or email_validator.match(email_address) is None:
return render_template("settings/log_in_details.html", error="invalid_email")
# This is pointless.
if g.user.email_verified and email_address == g.user.email_address:
return redirect(url_for("settings_log_in_details", saved="email_changed"))
send_email("verify", email_address)
return redirect(url_for("settings_log_in_details", saved="email_address"))
def register_post():
if g.redis.exists("register:" + request.headers.get("X-Forwarded-For", request.remote_addr)):
return redirect(referer_or_home() + "?register_error=ip")
# Don't accept blank fields.
if request.form["username"] == "" or request.form["password"] == "":
return redirect(referer_or_home() + "?register_error=blank")
# Make sure the two passwords match.
if request.form["password"] != request.form["password_again"]:
return redirect(referer_or_home() + "?register_error=passwords_didnt_match")
# Check email address against email_validator.
# Silently truncate it because the only way it can be longer is if they've hacked the front end.
email_address = request.form.get("email_address").strip()[:100]
if not email_address:
return redirect(referer_or_home() + "?register_error=blank_email")
if email_validator.match(email_address) is None:
return redirect(referer_or_home() + "?register_error=invalid_email")
# Check username against username_validator.
# Silently truncate it because the only way it can be longer is if they've hacked the front end.
username = request.form["username"][:50]
if username_validator.match(username) is None:
return redirect(referer_or_home() + "?register_error=invalid_username")
# Make sure this username hasn't been taken before.
# Also check against reserved usernames.
if username.startswith("guest_") or g.db.query(User.id).filter(
func.lower(User.username) == username.lower()
).count() == 1 or username.lower() in reserved_usernames:
return redirect(referer_or_home() + "?register_error=username_taken")
new_user = User(
username=username,
email_address=email_address,
group="new",
last_ip=request.headers.get("X-Forwarded-For", request.remote_addr),
)
new_user.set_password(request.form["password"])
g.db.add(new_user)
g.db.flush()
g.redis.set("session:" + g.session_id, new_user.id, 2592000)
g.redis.setex("register:" + request.headers.get("X-Forwarded-For", request.remote_addr), 86400, 1)
g.user = new_user
send_email("welcome", email_address)
g.db.commit()
redirect_url = referer_or_home()
# Make sure we don't go back to the log in page.
if redirect_url == url_for("register", _external=True):
return redirect(url_for("home"))
return redirect(redirect_url)
def change_email():
email_address = request.form.get("email_address").strip()[:100]
if not email_address or email_validator.match(email_address) is None:
return render_template("settings/log_in_details.html",
error="invalid_email")
# This is pointless.
if g.user.email_verified and email_address == g.user.email_address:
return redirect(
url_for("settings_log_in_details", saved="email_changed"))
send_email("verify", email_address)
return redirect(url_for("settings_log_in_details", saved="email_address"))
def change_email():
email_address = request.form.get("email_address").strip()[:100]
if not email_address or email_validator.match(email_address) is None:
return render_template("settings/log_in_details.html", error="invalid_email")
# No need to do anything here.
if g.user.email_verified and email_address == g.user.email_address:
return redirect(url_for("settings_log_in_details", saved="email_changed"))
# Make sure this email address hasn't been taken before.
if email_address != g.user.email_address and g.db.query(User.id).filter(
func.lower(User.email_address) == email_address.lower(),
).count() != 0:
return render_template("settings/log_in_details.html", error="email_taken")
send_email("verify", email_address)
return redirect(url_for("settings_log_in_details", saved="email_address"))
def change_email():
email_address = request.form.get("email_address").strip()[:100]
if not email_address or email_validator.match(email_address) is None:
return render_template("settings/log_in_details.html",
error="invalid_email")
# No need to do anything here.
if g.user.email_verified and email_address == g.user.email_address:
return redirect(
url_for("settings_log_in_details", saved="email_changed"))
# Make sure this email address hasn't been taken before.
if email_address != g.user.email_address and g.db.query(User.id).filter(
func.lower(User.email_address)
== email_address.lower(), ).count() != 0:
return render_template("settings/log_in_details.html",
error="email_taken")
send_email("verify", email_address)
return redirect(url_for("settings_log_in_details", saved="email_address"))
def forgot_password_post():
if g.redis.get("reset_password_limit:%s" % request.headers.get("X-Forwarded-For", request.remote_addr)):
return render_template("account/forgot_password.html", error="limit")
try:
user = g.db.query(User).filter(User.username == request.form["username"].lower()).one()
except NoResultFound:
return render_template("account/forgot_password.html", error="no_user", username=request.form['username'])
if g.redis.get("reset_password_limit:%s" % user.id):
return render_template("account/forgot_password.html", error="limit")
if not user.email_address or not user.email_verified:
return render_template("account/forgot_password.html", error="no_email")
g.user = user
send_email("reset", g.user.email_address)
g.redis.setex("reset_password_limit:%s" % request.headers.get("X-Forwarded-For", request.remote_addr), 86400, 1)
g.redis.setex("reset_password_limit:%s" % user.id, 86400, 1)
return redirect(referer_or_home() + "?error=success")
def forgot_password_post():
if g.redis.get("reset_password_limit:%s" % request.headers.get("X-Forwarded-For", request.remote_addr)):
return render_template("account/forgot_password.html", error="limit")
try:
user = g.db.query(User).filter(User.username == request.form["username"].lower()).one()
except NoResultFound:
return render_template("account/forgot_password.html", error="no_user", username=request.form['username'])
if g.redis.get("reset_password_limit:%s" % user.id):
return render_template("account/forgot_password.html", error="limit")
if not user.email_address or not user.email_verified:
return render_template("account/forgot_password.html", error="no_email")
g.user = user
send_email("reset", g.user.email_address)
g.redis.setex("reset_password_limit:%s" % request.headers.get("X-Forwarded-For", request.remote_addr), 86400, 1)
g.redis.setex("reset_password_limit:%s" % user.id, 86400, 1)
return redirect(referer_or_home() + "?error=success")