def register_hash(request, hashcode, group = None): params = dict([(x[0],x[1][0]) for x in urldecode(decryptString( settings.SECRET_KEY, hashcode )).iteritems()]) next = params.pop('next', '/') # Validate the email address, etc. params['password2'] = params['password'] reg_form = RegistrationForm( params ) if reg_form.is_valid(): # OK, create the new user vitals = reg_form.cleaned_data user = User( username=vitals['username'] , first_name=vitals['first_name'] , last_name=vitals['last_name'] , email=vitals['email'] ) user.set_password(vitals['password']) user.save() user = authenticate( username = user.username, password = vitals['password']) auth_login(request, user) request.session['account_message'] = 'User account created. You are now logged in!' return HttpResponseRedirect(next) else: raise Http404 return render_to_response( 'login_or_register.html', { 'form': reg_form }, context_instance = RequestContext(request) )
def url_equals(to_check): if to_check[:4] != check_parts[:4]: return False args = urldecode(to_check[4]) for key, value in args: if check_query.get(key) != value: return False return True
def get_redirect_target(environ, user_url=None, invalid_targets=(), allowed_redirects=None): """Check the request and get the redirect target if possible. If not this function returns just `None`. The return value of this function is suitable to be passed to `redirect`. """ check_target = user_url or environ.get('HTTP_REFERER') # if there is no information in either the form data # or the wsgi environment about a jump target we have # to use the target url if not check_target: return # otherwise drop the leading slash check_target = check_target.lstrip('/') root_url = get_current_url(environ) root_parts = urlparse(root_url) check_parts = urlparse(urljoin(root_url, check_target)) check_query = urldecode(check_parts[4]) def url_equals(to_check): if to_check[:4] != check_parts[:4]: return False args = urldecode(to_check[4]) for key, value in args: if check_query.get(key) != value: return False return True allowed_redirects = chain([get_host(environ)], allowed_redirects or ()) # if the jump target is on a different server we probably have # a security problem and better try to use the target url. # except the host is whitelisted in the config if root_parts[:2] != check_parts[:2]: host = check_parts[1].split(':', 1)[0] for rule in allowed_redirects: if fnmatch(host, rule): break else: return # if the jump url is the same url as the current url we've had # a bad redirect before and use the target url to not create a # infinite redirect. if url_equals(urlparse(get_current_url(environ))): return # if the `check_target` is one of the invalid targets we also # fall back. for invalid in invalid_targets: if url_equals(urlparse(urljoin(root_url, invalid))): return return check_target