def _get_user(self, uidb36):
User = get_user_model()
try:
pk = url_str_to_user_pk(uidb36)
return User.objects.get(pk=pk)
except (ValueError, User.DoesNotExist):
return None
def _get_user(self, uidb36):
try:
pk = url_str_to_user_pk(uidb36)
return User.objects.get(pk=pk)
except (ValueError, User.DoesNotExist):
return None
def validate_user(self, *args, **kwargs):
if self.request.POST.get('uid', None):
try:
uid = url_str_to_user_pk(self.request.POST['uid'])
user = User.objects.get(pk=uid)
except (User.DoesNotExist, ValueError, ValidationError):
raise Http404()
self.validate_membership(user)
return user
def login_on_confirm(self, confirmation):
user_pk = None
user_pk_str = get_adapter(self.request).unstash_user(self.request)
if user_pk_str:
user_pk = url_str_to_user_pk(user_pk_str)
user = confirmation.email_address.user
if user_pk == user.pk and self.request.user.is_anonymous:
return perform_login(self.request,
user,
app_settings.EmailVerificationMethod.NONE,
redirect_url=self.get_redirect_url)
return None
def validate(self, attrs):
self._errors = {}
# Decode the uidb64 to uid to get User object
try:
uid = url_str_to_user_pk(attrs['uid'])
self.user = User._default_manager.get(pk=uid)
except (TypeError, ValueError, OverflowError, User.DoesNotExist):
raise ValidationError({'uid': ['Invalid value']})
self.custom_validation(attrs)
# Construct SetPasswordForm instance
self.set_password_form = self.set_password_form_class(user=self.user,
data=attrs)
if not self.set_password_form.is_valid():
raise ValidationError(self.set_password_form.errors)
if not default_token_generator.check_token(self.user, attrs['token']):
raise ValidationError({'token': ['Invalid value']})
return attrs
def login_on_confirm(self, confirmation):
"""Login on confrim."""
user_pk = None
user_pk_str = get_adapter(self.request).unstash_user(self.request)
if user_pk_str:
user_pk = url_str_to_user_pk(user_pk_str)
user = confirmation.email_address.user
if user_pk == user.pk and self.request.user.is_anonymous():
return perform_login(
self.request,
user,
app_settings.EmailVerificationMethod.NONE,
# passed as callable, as this method
# depends on the authenticated state
redirect_url=self.get_redirect_url)
return None
def login_on_confirm(self, confirmation):
"""
Simply logging in the user may become a security issue. If you
do not take proper care (e.g. don't purge used email
confirmations), a malicious person that got hold of the link
will be able to login over and over again and the user is
unable to do anything about it. Even restoring their own mailbox
security will not help, as the links will still work. For
password reset this is different, this mechanism works only as
long as the attacker has access to the mailbox. If they no
longer has access they cannot issue a password request and
intercept it. Furthermore, all places where the links are
listed (log files, but even Google Analytics) all of a sudden
need to be secured. Purging the email confirmation once
confirmed changes the behavior -- users will not be able to
repeatedly confirm (in case they forgot that they already
clicked the mail).
All in all, opted for storing the user that is in the process
of signing up in the session to avoid all of the above. This
may not 100% work in case the user closes the browser (and the
session gets lost), but at least we're secure.
"""
user_pk = None
user_pk_str = get_adapter(self.request).unstash_user(self.request)
if user_pk_str:
user_pk = url_str_to_user_pk(user_pk_str)
user = confirmation.email_address.user
if user_pk == user.pk and self.request.user.is_anonymous:
return perform_login(self.request,
user,
app_settings.EmailVerificationMethod.NONE,
# passed as callable, as this method
# depends on the authenticated state
redirect_url=self.get_redirect_url)
return None
def test_url_str_to_pk_identifies_UUID_as_stringlike(self):
with patch('allauth.account.utils.get_user_model') as mocked_gum:
mocked_gum.return_value = UUIDUser
self.assertEqual(url_str_to_user_pk(self.user_id),
uuid.UUID(self.user_id))
