def _forgotten_password(self):
"""Action to let the user request a password change.
GET returns a form for emailing them the password change
confirmation.
POST checks the form and then creates a confirmation record:
date, email_address, and a url_hash that is a hash of a
combination of date, email_address, and a random nonce.
The email address must exist in the person database.
The second half of the password change operation happens in
the ``confirm`` action.
"""
c.email = self.form_result['email_address']
c.person = Person.find_by_email(c.email)
if c.person is not None:
# Check if there is already a password recovery in progress
reset = PasswordResetConfirmation.find_by_email(c.email)
if reset is not None:
return render('person/in_progress.mako')
# Ok kick one off
c.conf_rec = PasswordResetConfirmation(email_address=c.email)
meta.Session.add(c.conf_rec)
meta.Session.commit()
email(c.email, render('person/confirmation_email.mako'))
return render('person/password_confirmation_sent.mako')
def test_confirm(self):
"""Test confirmation of a password reset that should succeed"""
# create a confirmation record
email = '*****@*****.**'
p = Person(email_address=email)
self.dbsession.save(p)
c = PasswordResetConfirmation(email_address=email)
# set the timestamp to just under 24 hours ago
c.timestamp = datetime.datetime.now() - datetime.timedelta(23, 59, 59)
self.dbsession.save(c)
self.dbsession.flush()
pid = p.id
cid = c.id
resp = self.app.get(url_for(controller='person',
action='reset_password',
url_hash=c.url_hash))
# showing the email on the page
resp.mustcontain(email)
f = resp.form
f['password'] = '******'
f['password_confirm'] = 'test'
resp = f.submit()
# check for success
resp.mustcontain("Your password has been updated")
self.dbsession.clear()
# conf rec should be gone
c = self.dbsession.get(PasswordResetConfirmation, cid)
self.assertEqual(None, c)
# password should be set to 'test'
p_hash = md5.new('test').hexdigest()
p = self.dbsession.get(Person, pid)
self.assertEqual(p_hash, p.password_hash)
self.dbsession.delete(p)
self.dbsession.flush()
def test_confirm_old_url_hash(self):
"""Test that old url_hashes are caught"""
email = '*****@*****.**'
stamp = datetime.datetime.now() - datetime.timedelta(24, 0, 1)
c = PasswordResetConfirmation(email_address=email)
c.timestamp = stamp
self.dbsession.save(c)
self.dbsession.flush()
cid = c.id
resp = self.app.get(url_for(controller='person',
action='reset_password',
url_hash=c.url_hash))
# check for warning
resp.mustcontain("This password recovery session has expired")
self.dbsession.clear()
c = self.dbsession.get(PasswordResetConfirmation, cid)
# record shouldn't exist anymore
self.assertEqual(None, c)
