def add(request, list_id, item_id): item_id = base36_to_int(item_id) item = get_object_or_404(Item, pk=item_id) if list_id == '!ignored': try: name = "{user}'s ignore list".format(user=request.user) except AttributeError: # python 2.5 compatibility name = "%s's ignore list" % (request.user,) list, created = List.objects.get_or_create(owner=request.user, ignored=True, defaults={'category_id': 8, 'name': name, 'options': {}}) list_id = list.id elif list_id == '!queue': try: name = "{user}'s queue".format(user=request.user) except AttributeError: # python 2.5 compatibility name = "%s's queue" % (request.user,) list, created = List.objects.get_or_create(owner=request.user, queue=True, defaults={'category_id': 8, 'name': name, 'options': {}}) list_id = list.id else: list_id = base36_to_int(list_id) list = get_object_or_404(List, pk=list_id, owner=request.user) order_max = list.entries.aggregate(Max('order'))['order__max'] if order_max is None: order = 0 else: order = order_max + 1 list.entries.create(type=Entry.types['item'], item_id=item_id, order=order) data = {'success': True} json = simplejson.dumps(data) return HttpResponse(json, mimetype='application/json')
def reverse_access_token(cls, access_token): if not access_token: raise InvalidAccessToken() part = access_token.split('.') if len(part) != 3: raise InvalidAccessToken() expire, info, check = part expire_timestamp = int(base36_to_int(expire)) if CurrentTimestamp()() > expire_timestamp: raise AccessTokenExpired() part = decrypt_cbc(info, OAUTH2_SETTINGS.ACCESS_TOKEN_SECRET_KEY).split('.') if len(part) != 6: raise InvalidAccessToken() client_pk, user_pk, expire2, scope, is_refreshable, checksum = base36_to_int(part[0]), base36_to_int(part[1]), \ part[2], part[3], part[4], part[5] if expire2 != expire: raise InvalidAccessToken() user_secret_key = UserClientSecretKey.objects.get_cached(user_id=user_pk, client=Client(pk=client_pk)).secret_key.encode('utf-8') if checksum != decrypt_cbc(check, user_secret_key): raise InvalidAccessToken() return client_pk, user_pk, scope, is_refreshable, expire_timestamp, user_secret_key
def unsubscribe(request, uidb36, token, step): if step == '1': return render_to_response('response.html', {'next_url': '/unsubscribe/' + uidb36 + '/' + token + '/2/', 'msg': 'Are you sure you want to unsubscribe?'}, context_instance=RequestContext(request)) elif step == '2': try: uid_int = base36_to_int(uidb36) except ValueError: raise Http404 user = get_object_or_404(User, id=uid_int) try: ts_b36, hash = token.split("-") ts = base36_to_int(ts_b36) except ValueError: return render_to_response('response.html', {'msg': 'The link is invalid!'}, context_instance=RequestContext(request)) from django.utils.hashcompat import sha_constructor hash2 = sha_constructor(unicode(user.id) + unicode(ts)).hexdigest()[::2] if (hash2 != hash) or (((date.today() - date(2001,1,1)).days - ts) > settings.PASSWORD_RESET_TIMEOUT_DAYS): return render_to_response('response.html', {'msg': 'The link is invalid!'}, context_instance=RequestContext(request)) user.email_chapter_optin = False user.save() return render_to_response('response.html', {'msg': 'Unsubscribe succeeded!'}, context_instance=RequestContext(request)) else: return render_to_response('response.html', {'msg': 'The link is invalid!'}, context_instance=RequestContext(request))
def authenticate(self, user_token, key_token): logger.debug("Attempting auth: user token is (%s, %d) " % (user_token, base36_to_int(user_token))) try: token_generator=PasswordResetTokenGenerator() user = get_object_or_404(User, pk=base36_to_int(user_token)) logger.debug("User: %s checking login token" % user.username) if token_generator.check_token( user, key_token) and user.is_active: logger.debug("User: %s authenticated via token" % user.username) return user except User.DoesNotExist: return None
def test_base36(self): # reciprocity works for n in [0, 1, 1000, 1000000]: self.assertEqual(n, http.base36_to_int(http.int_to_base36(n))) # bad input with self.assertRaises(ValueError): http.int_to_base36(-1) for n in ['1', 'foo', {1: 2}, (1, 2, 3), 3.141]: with self.assertRaises(TypeError): http.int_to_base36(n) for n in ['#', ' ']: with self.assertRaises(ValueError): http.base36_to_int(n) with self.assertRaises(ValueError) as cm: http.base36_to_int('1' * 14) self.assertEqual('Base36 input too large', str(cm.exception)) for n in [123, {1: 2}, (1, 2, 3), 3.141]: with self.assertRaises(TypeError): http.base36_to_int(n) # more explicit output testing for n, b36 in [(0, '0'), (1, '1'), (42, '16'), (818469960, 'django')]: self.assertEqual(http.int_to_base36(n), b36) self.assertEqual(http.base36_to_int(b36), n)
def get(self, request, *args, **kwargs): """ Check whether the activation link is valid, for this both the user id and the token should be valid. Messages are shown when user belonging to the user id is already active and when the account is successfully activated. In all other cases the activation failed template is shown. Finally if the user is successfully activated, log user in and redirect to their dashboard. """ try: user_id = base36_to_int(kwargs['uidb36']) user = LilyUser.objects.get(id=user_id) token = kwargs['token'] except (ValueError, LilyUser.DoesNotExist): # Show template as per normal TemplateView behaviour return TemplateView.get(self, request, *args, **kwargs) if self.token_generator.check_token(user, token): # Show activation message messages.info(request, _('I\'ve activated your account, please login.')) else: # Show template as per normal TemplateView behaviour return TemplateView.get(self, request, *args, **kwargs) # Set is_active to True and save the user user.is_active = True user.save() # Redirect to dashboard return redirect(reverse_lazy('login'))
def password_reset_confirm(request, uidb36=None, token=None): """View that checks the hash in a password reset link and presents a form for entering a new password. Based on django.contrib.auth.views. """ try: uid_int = base36_to_int(uidb36) except ValueError: raise Http404 user = get_object_or_404(User, id=uid_int) context = {} if default_token_generator.check_token(user, token): context['validlink'] = True if request.method == 'POST': form = SetPasswordForm(user, request.POST) if form.is_valid(): form.save() return HttpResponseRedirect(reverse('users.pw_reset_complete')) else: form = SetPasswordForm(None) else: context['validlink'] = False form = None context['form'] = form return jingo.render(request, 'users/pw_reset_confirm.html', context)
def authenticate(self, *args, **kwargs): if kwargs: username = kwargs.pop("username", None) if username: username_or_email = Q(username__iexact=username) | Q(email__iexact=username) password = kwargs.pop("password", None) try: user = User.objects.get(username_or_email, **kwargs) except User.DoesNotExist: pass else: if user.check_password(password): return user else: if 'uidb36' not in kwargs: return kwargs["id"] = base36_to_int(kwargs.pop("uidb36")) token = kwargs.pop("token") try: user = User.objects.get(**kwargs) except User.DoesNotExist: pass else: if default_token_generator.check_token(user, token): return user
def email_reset_complete(request, uidb36=None, token=None): # Check that the link is valid and the base36 corresponds to a user id assert uidb36 is not None and token is not None # checked by URLconf try: uid_int = base36_to_int(uidb36) user = User.objects.get(id=uid_int) except (ValueError, User.DoesNotExist): raise Http404 # Retreive the new mail from the DB try: rer = ResetEmailRequest.objects.get(user=user) except ResetEmailRequest.DoesNotExist: raise Http404 # Change the mail in the DB old_email = user.email user.email = rer.email user.save() # Remove temporal mail change information ftom the DB ResetEmailRequest.objects.get(user=user).delete() tvars = {'old_email': old_email, 'user': user} return render(request, 'accounts/email_reset_complete.html', tvars)
def check_token(self, user, token): """ Check that the token is correct for a given user """ # Parse the token try: ts_b36, hash = token.split("-") except ValueError: return False try: ts = base36_to_int(ts_b36) except ValueError: return False # Check that the timestamp/uid have not been tampered if self._make_token_with_timestamp(user, ts) != token: return False # Check that the timestamp is within limits if (self._num_days(self._today()) - ts) > self.timeout: return False return True
def decode_uid(pk): try: from django.utils.http import urlsafe_base64_decode return urlsafe_base64_decode(pk) except ImportError: from django.utils.http import base36_to_int return base36_to_int(pk)
def auto_login(request, uidb36, token, template="autologin/failed.html", redirect_to="/"): redirect = request.GET.get('next', None) args = request.GET.copy() if 'next' in args: del args['next'] args = args.urlencode() if redirect is None: redirect = redirect_to if args != "": if '?' in redirect: redirect += '&' else: redirect += '?' redirect += args User = get_user_model() try: user = User.objects.get(pk=base36_to_int(uidb36)) except (ValueError, User.DoesNotExist): user = None if request.user.is_authenticated(): if request.user == user: update_last_login(None, user) return HttpResponseRedirect(redirect) else: user = None if user is None or not default_token_generator.check_token(user, token): return TemplateResponse(request, template, {}, status=400) else: user.backend = 'django.contrib.auth.backends.ModelBackend' login(request, user) return HttpResponseRedirect(redirect)
def resolve_cpq_code(cpq_code, cpq_type=CPQType.INVOICE): """Returns the CPQ object (Quote or Invoice) for this `cpq_code` """ check_hash = cpq_code[:CPQ_CHECK_HASH_LENGTH] cpq_code = cpq_code[CPQ_CHECK_HASH_LENGTH:] if is_valid_cpq_code_check_hash(cpq_code, check_hash): if cpq_type == CPQType.INVOICE: CPQModel = resolve_model_dynamically(settings.HTK_CPQ_INVOICE_MODEL) elif cpq_type == CPQType.QUOTE: CPQModel = resolve_model_dynamically(settings.HTK_CPQ_QUOTE_MODEL) else: raise Exception('Bad value for cpq_type') try: padded = base36_to_int(cpq_code) if is_luhn_valid(padded): xored = padded / 10 cpq_id = xored ^ CPQ_XOR_KEY cpq = CPQModel.objects.get(id=cpq_id) else: cpq = None except ValueError: cpq = None except CPQModel.DoesNotExist: cpq = None else: cpq = None return cpq
def check_token(self, newsletter_recipient, token): """ Check that a newsletter unsubscribe token is correct for a given recipient. """ # Parse the token try: ts_b36, hash = token.split("-") except ValueError: return False try: ts = base36_to_int(ts_b36) except ValueError: return False # Check that the timestamp/uid has not been tampered with if not constant_time_compare( self._make_token_with_timestamp( newsletter_recipient, ts ), token ): return False return True
def check_token(self, user, token): """Check that a registration token is correct for a given user.""" # If the user is active, the hash can't be valid. if user.is_active: return False # Parse the token try: ts_b36, hash = token.split("-") except ValueError: return False try: ts = base36_to_int(ts_b36) except ValueError: return False # Check that the timestamp and uid have not been tampered with. if self._make_token_with_timestamp(user, ts) != token: return False # Check that the timestamp is within limit if (self._num_days(self._today()) - ts) > REGISTRATION_TIMEOUT_DAYS: return False return True
def check_token(self, user, token): """ @parameter{user,User} instance of the User whose Token should be checked. @parameter{token,string} Token to check @returns{bool} @val{true} for right Token, @val{false} for wrong Token """ try: ts_b36 = token.split("-")[0] except ValueError: return False try: uid = base36_to_int(ts_b36) except ValueError: return False # Check that the uid has not been tampered with if uid != user.id: return False if self.make_token(user) != token: return False return True
def password_reset_confirm(request, uidb36=None, token=None, template_name='registration/password_reset_confirm.html', token_generator=default_token_generator, set_password_form=SetPasswordForm, post_reset_redirect=None): """ View that checks the hash in a password reset link and presents a form for entering a new password. """ assert uidb36 is not None and token is not None # checked by URLconf if post_reset_redirect is None: post_reset_redirect = reverse('django.contrib.auth.views.password_reset_complete') try: uid_int = base36_to_int(uidb36) except ValueError: raise Http404 user = get_object_or_404(User, id=uid_int) context_instance = RequestContext(request) if token_generator.check_token(user, token): context_instance['validlink'] = True if request.method == 'POST': form = set_password_form(user, request.POST) if form.is_valid(): form.save() return HttpResponseRedirect(post_reset_redirect) else: form = set_password_form(None) else: context_instance['validlink'] = False form = None context_instance['form'] = form return render_to_response(template_name, context_instance=context_instance)
def password_reset_confirm(request, uidb36=None, token=None): """ Pulled from django contrib so that we can add user into the form so then we can show relevant messages about the user. """ assert uidb36 is not None and token is not None user = None try: uid_int = base36_to_int(uidb36) user = UserProfile.objects.get(id=uid_int) except (ValueError, UserProfile.DoesNotExist): pass if user is not None and default_token_generator.check_token(user, token): validlink = True if request.method == 'POST': form = forms.SetPasswordForm(user, request.POST) if form.is_valid(): form.save() log_cef('Password Changed', 5, request, username=user.username, signature='PASSWORDCHANGED', msg='User changed password') return redirect(reverse('django.contrib.auth.' 'views.password_reset_complete')) else: form = forms.SetPasswordForm(user) else: validlink = False form = None return jingo.render(request, 'users/pwreset_confirm.html', {'form': form, 'validlink': validlink})
def password_reset_from_key(request, uidb36, key, **kwargs): form_class = kwargs.get("form_class", ResetPasswordKeyForm) template_name = kwargs.get("template_name", "account/password_reset_from_key.html") token_generator = kwargs.get("token_generator", default_token_generator) group, bridge = group_and_bridge(kwargs) ctx = group_context(group, bridge) # pull out user try: uid_int = base36_to_int(uidb36) except ValueError: raise Http404 user = get_object_or_404(User, id=uid_int) if token_generator.check_token(user, key): if request.method == "POST": password_reset_key_form = form_class(request.POST, user=user, temp_key=key) if password_reset_key_form.is_valid(): password_reset_key_form.save() password_reset_key_form = None else: password_reset_key_form = form_class() ctx.update({ "form": password_reset_key_form, }) else: ctx.update({ "token_fail": True, }) return render_to_response(template_name, RequestContext(request, ctx))
def verify_email_view(request, uidb36, token): user = Hacker.objects.get(pk=base36_to_int(uidb36)) if default_token_generator.check_token(user, token): user.email_verified = True user.save() return HttpResponseRedirect(reverse_lazy('profile')) raise Http404
def get_user(self): try: uid_int = base36_to_int(self.kwargs["uid"]) except ValueError: raise Http404() self.user = get_object_or_404(get_user_model(), id=uid_int) return self.user
def _get_user(self, uidb36): # pull out user try: uid_int = base36_to_int(uidb36) except ValueError: raise Http404 return get_object_or_404(User, id=uid_int)
def check_token(self, user, token): """ Check that a password reset token is correct for a given user. """ # Parse the token try: ts_b36, hash = token.split("-") except ValueError: return False try: ts = base36_to_int(ts_b36) except ValueError: return False # Check that the timestamp/uid has not been tampered with if not constant_time_compare(self._make_token_with_timestamp(user, ts), token): # Fallback to Django 1.2 method for compatibility. # PendingDeprecationWarning <- here to remind us to remove this in # Django 1.5 if not constant_time_compare(self._make_token_with_timestamp_old(user, ts), token): return False # Check the timestamp is within limit if (self._num_days(self._today()) - ts) > settings.PASSWORD_RESET_TIMEOUT_DAYS: return False return True
def unsubscribe_notifications(request, uidb36=None, token=None): assert uidb36 is not None and token is not None # checked by URLconf # ensure working uid try: uid_int = base36_to_int(uidb36) except ValueError: raise Http404 # ensure user with uid exists try: user = User.objects.get(id=uid_int) except User.DoesNotExist: raise Http404 # check email hash matches hasher = ""#hashlib.md5() TODO hasher.update(user.email) if(token != hasher.hexdigest()): raise Http404 # add unsubscribe row if there isn't one in UserData user_data_cache = UserData.objects.filter(user=user, key = 'unsubscribe_notification_updates') if user_data_cache.count() == 0: user_data_cache = UserData(user=user, key = 'unsubscribe_notification_updates', value='') user_data_cache.save() return render_to_response("unsubscribe.html", context_instance=None)
def reset_confirm(request, uidb36=None, token=None): assert uidb36 is not None and token is not None validlink = False form = UserSetPasswordForm(None) try: uid_int = base36_to_int(uidb36) user = User.objects.get(id=uid_int) except (ValueError, User.DoesNotExist): user = None if user is not None and default_token_generator.check_token(user, token): validlink = True if request.method == 'POST': form = UserSetPasswordForm(user, request.POST) if form.is_valid(): form.save() messages.success(request, _(u'You have successfully reseted password, please sign in.')) return redirect('app_auth_sign_in') if not validlink: raise Http404 return direct_to_template(request, 'auth/reset_confirm.html', {'form': form})
def save(self, uidb36, token): password = self.cleaned_data.get('password') user = Hacker.objects.get(pk=base36_to_int(uidb36)) if default_token_generator.check_token(user, token): user.set_password(password) user.save() return user
def activate_account(request, uidb36=None, token=None, token_generator=default_token_generator, post_reset_redirect=None, current_app=None, extra_context=None): """ View that checks the hash in an activate account link. Modified from password reset link checker. """ assert uidb36 is not None and token is not None # checked by URLconf if post_reset_redirect is None: post_reset_redirect = reverse(home) try: uid_int = base36_to_int(uidb36) user = User.objects.get(pk=uid_int) except (ValueError, OverflowError, User.DoesNotExist): user = None if user is not None and token_generator.check_token(user, token): person = Person.objects.get(email=user.email) if person.account_status != 'unregistered': return HttpResponseRedirect(post_reset_redirect) os.system('sh fetchresults.sh --newcompetitor ' '{0} &'.format(str(person.eventor_id))) person.user = user person.account_status = 'new' person.save() user.backend = 'django.contrib.auth.backends.ModelBackend' login(request, user) welcome = """Hallå, välkommen till Orientalyst! Till vänster ser du länkar till graferna från dina senaste tävlingar. Under 'Dina tävlingar' högst upp kan du se alla tävlingar som finns registrerade på eventor.""" return home(request, welcome) else: # TODO make nice error message page here w 404 return HttpResponseRedirect(post_reset_redirect)
def email_change_confirm(self, request, extra_context=None, uidb36=None, token=None, email=None, token_generator=email_token_generator): """ Checks that ``token`` is valid, and if so, changes the user's email. :param token_generator: The token generator used to check the ``token``. """ assert uidb36 is not None and token is not None and email is not None try: uid_int = base36_to_int(uidb36) except: raise Http404 user = get_object_or_404(User, id=uid_int) email = '@'.join(email.rsplit('+', 1)) if email == user.email: # Then short-circuit. raise Http404 if token_generator.check_token(user, email, token): self.account_form.set_email(user, email) messages.add_message(request, messages.SUCCESS, 'Email changed successfully.') if self.manage_account_page: redirect = self.reverse('account', node=request.node) else: redirect = request.node.get_absolute_url() return HttpResponseRedirect(redirect) raise Http404
def get_queryset(self): """ Overriding super().get_queryset to limit the queryset based on a kwarg when provided. """ if self.queryset is not None: queryset = self.queryset if hasattr(queryset, '_clone'): queryset = queryset._clone() elif self.model is not None: # If kwarg is provided, try reducing the queryset if self.kwargs.get('b36_pks', None): try: # Convert base36 to int b36_pks = self.kwargs.get('b36_pks').split(';') int_pks = [] for pk in b36_pks: int_pks.append(base36_to_int(pk)) # Filter queryset queryset = self.model._default_manager.filter(pk__in=int_pks) except: queryset = self.model._default_manager.all() else: queryset = self.model._default_manager.all() else: raise ImproperlyConfigured(u"'%s' must define 'queryset' or 'model'" % self.__class__.__name__) if hasattr(self, 'select_related'): queryset = queryset.select_related(*self.select_related) if hasattr(self, 'prefetch_related'): queryset = queryset.prefetch_related(*self.prefetch_related) return queryset
def password_reset_from_key(request, uidb36, key, **kwargs): form_class = kwargs.get("form_class", ResetPasswordKeyForm) template_name = kwargs.get("template_name", "account/password_reset_from_key.html") token_generator = kwargs.get("token_generator", default_token_generator) # pull out user try: uid_int = base36_to_int(uidb36) except ValueError: raise Http404 user = get_object_or_404(User, id=uid_int) if token_generator.check_token(user, key): if request.method == "POST": password_reset_key_form = form_class(request.POST, user=user, temp_key=key) if password_reset_key_form.is_valid(): password_reset_key_form.save() messages.add_message(request, messages.SUCCESS, ugettext(u"Password successfully changed.") ) signals.password_reset.send(sender=request.user.__class__, request=request, user=request.user) password_reset_key_form = None else: password_reset_key_form = form_class() ctx = { "form": password_reset_key_form, } else: ctx = { "token_fail": True, } return render_to_response(template_name, RequestContext(request, ctx))
def _set_user(self, request): try: self.uid_int = base36_to_int(self.uidb36) if request.user.is_authenticated and request.user.id != self.uid_int: raise Http404 self.user = User.objects.get(id=self.uid_int) except (ValueError, User.DoesNotExist): # if there's any error getting a user, just let django's # password_reset_confirm function handle it. return super(PasswordResetConfirmWrapper, self).dispatch(request, uidb64=self.uidb64, token=self.token, extra_context=self.platform_name)
def uidb36_to_uidb64(uidb36): """ Needed to support old password reset URLs that use base36-encoded user IDs https://github.com/django/django/commit/1184d077893ff1bc947e45b00a4d565f3df81776#diff-c571286052438b2e3190f8db8331a92bR231 Args: uidb36: base36-encoded user ID Returns: base64-encoded user ID. Otherwise returns a dummy, invalid ID """ try: uidb64 = force_text(urlsafe_base64_encode(force_bytes(base36_to_int(uidb36)))) except ValueError: uidb64 = '1' # dummy invalid ID (incorrect padding for base64) return uidb64
def check_link(self, uidb36, token): """ Check if the link that the person is accessing the page from is a valid one """ try: uid_int = base36_to_int(uidb36) self.user = CustomUser.objects.get(id=uid_int) except (ValueError, OverflowError, CustomUser.DoesNotExist): self.user = None check_token = default_token_generator.check_token(self.user, token) self.valid_link = bool(self.user is not None and check_token) return self.valid_link
def _check_token_has_required_values(self, uidb36, token): """ Helper function to test that token string passed has the required kwargs needed to process token validation. """ if not uidb36 or not token: return False, None try: uid_int = base36_to_int(uidb36) except ValueError: return False, None return True, uid_int
def activate_user(request, uidb36=None, token=None): assert uidb36 is not None and token is not None try: uid_int = base36_to_int(uidb36) usr = get_object_or_404(Participant, id=uid_int) except Exception: return render_to_response('reactivation.html', {}) if token_generator.check_token(usr, token): usr.is_active = True usr.save() else: return render_to_response('reactivation.html', {}) return HttpResponseRedirect( '/login/?next=/change_preferences/') # yeah, right...
def email_verify(request, uidb36, token): """Verification for the user's email address.""" try: uid_int = base36_to_int(uidb36) user = User.objects.get(pk=uid_int) except (ValueError, OverflowError, User.DoesNotExist): return HttpResponseNotFound() valid = user.find_valid_email(token) if valid: valid.extra_data['verified'] = True valid.save() return render( request, 'registration/email_verified.html', {'valid': valid})
def activate(request, uidb64, token): try: uid = base36_to_int(uidb64) user = User.objects.get(pk=uid) except(TypeError, ValueError, OverflowError, User.DoesNotExist): user = None if user is not None and account_activation_token.check_token(user, token): user.is_active = True user.save() login(request, user) messages.success(request, ' Your Account has been successfully verified.') return redirect('index') else: return render(request, 'home/error.html', {'errors': 'Activation link is invalid!'})
def test_base36(self): # reciprocity works for n in [0, 1, 1000, 1000000]: self.assertEqual(n, http.base36_to_int(http.int_to_base36(n))) if six.PY2: self.assertEqual(sys.maxint, http.base36_to_int(http.int_to_base36(sys.maxint))) # bad input self.assertRaises(ValueError, http.int_to_base36, -1) if six.PY2: self.assertRaises(ValueError, http.int_to_base36, sys.maxint + 1) for n in ['1', 'foo', {1: 2}, (1, 2, 3), 3.141]: self.assertRaises(TypeError, http.int_to_base36, n) for n in ['#', ' ']: self.assertRaises(ValueError, http.base36_to_int, n) for n in [123, {1: 2}, (1, 2, 3), 3.141]: self.assertRaises(TypeError, http.base36_to_int, n) # more explicit output testing for n, b36 in [(0, '0'), (1, '1'), (42, '16'), (818469960, 'django')]: self.assertEqual(http.int_to_base36(n), b36) self.assertEqual(http.base36_to_int(b36), n)
def password_reset_confirm( request, uidb36=None, token=None, template_name='registration/password_reset_confirm.html', token_generator=default_token_generator, set_password_form=SetPasswordForm, post_reset_redirect=None, current_app=None, extra_context=None): '''View that checks the hash in a password reset link and presents a form for entering a new password. Doesn't need ``csrf_protect`` since no-one can guess the URL. ''' assert uidb36 is not None and token is not None # checked by URLconf if post_reset_redirect is None: post_reset_redirect = reverse('baph_password_change_complete') else: post_reset_redirect = resolve_url(post_reset_redirect) try: uid = base36_to_int(uidb36) user = get_object_or_404(User, id=uid) except (TypeError, ValueError, OverflowError): user = None if user is not None and token_generator.check_token(user, token): validlink = True title = _('Enter new password') if request.method == 'POST': form = set_password_form(user, request.POST) if form.is_valid(): form.save() return HttpResponseRedirect(post_reset_redirect) else: form = set_password_form(user) else: validlink = False form = None title = _('Password reset unsuccessful') context = { 'form': form, 'title': title, 'validlink': validlink, } if extra_context is not None: context.update(extra_context) return render_to_response(template_name, context, context_instance=RequestContext(request))
def password_reset_confirm( request, uidb36=None, token=None, template_name='registration/password_reset_confirm.html', token_generator=default_token_generator, set_password_form=SetPasswordForm, post_reset_redirect=None, current_app=None, extra_context=None): """ View that checks the hash in a password reset link and presents a form for entering a new password. """ UserModel = get_user_model() assert uidb36 is not None and token is not None # checked by URLconf if post_reset_redirect is None: post_reset_redirect = reverse( 'django.contrib.auth.views.password_reset_complete') else: post_reset_redirect = resolve_url(post_reset_redirect) try: uid_int = base36_to_int(uidb36) user = UserModel._default_manager.get(pk=uid_int) except (ValueError, OverflowError, UserModel.DoesNotExist): user = None if user is not None and token_generator.check_token(user, token): validlink = True if request.method == 'POST': form = set_password_form(user, request.POST) if form.is_valid(): form.save() return HttpResponseRedirect(post_reset_redirect) else: form = set_password_form(None) else: validlink = False form = None context = { 'form': form, 'validlink': validlink, } if extra_context is not None: context.update(extra_context) return TemplateResponse(request, template_name, context, current_app=current_app)
def get_user(self): # django 1.5 uses uidb36, django 1.6 uses uidb64 uidb36 = self.kwargs.get('uidb36') uidb64 = self.kwargs.get('uidb64') assert bool(uidb36) ^ bool(uidb64) try: if uidb36: uid = base36_to_int(uidb36) else: # urlsafe_base64_decode is not available in django 1.5 from django.utils.http import urlsafe_base64_decode uid = urlsafe_base64_decode(uidb64) return self.get_queryset().get(pk=uid) except (TypeError, ValueError, OverflowError, User.DoesNotExist): return None
def get_instance(self, request, uidb36, ts_b36, token): def create_token(instance): key_salt = "cadastro.forms.AtualizarCadastroLinkForm" value = u'%s%s' % ( instance.pk, instance.email, ) return salted_hmac(key_salt, value).hexdigest()[::2] try: uid_int = base36_to_int(uidb36) # Link só funciona 3 dia ts_int = base36_to_int(ts_b36) if ts_int + 3 < (date.today() - date(2001, 1, 1)).days: return None instance = Membro.objects.get(id=uid_int) except (ValueError, Membro.DoesNotExist): return None if not constant_time_compare(create_token(instance), token): return None return instance
def reset_psw_confirm(request, uid, token): from django.utils.http import base36_to_int user = User.objects.get(pk=base36_to_int(uid)) if request.method == 'POST': form = ResetPasswordForm(user, request.POST) if form.is_valid(): form.save() return render_to_response('users/reset_psw_done.html', {}) else: return TemplateResponse(request, 'users/reset_psw_confirm.html', {'form': form}) form = ResetPasswordForm(user) return TemplateResponse(request, 'users/reset_psw_confirm.html', {'form': form})
def get(self, request, *args, **kwargs): """ Check whether the activation link is valid, for this both the user id and the token should be valid. Messages are shown when user belonging to the user id is already active and when the account is successfully activated. In all other cases the activation failed template is shown. Finally if the user is successfully activated, log user in and redirect to their dashboard. """ try: user_id = base36_to_int(kwargs['uidb36']) user = LilyUser.objects.get(id=user_id) token = kwargs['token'] except (ValueError, LilyUser.DoesNotExist): # Show template as per normal TemplateView behaviour. return TemplateView.get(self, request, *args, **kwargs) if not self.token_generator.check_token(user, token): # Show template as per normal TemplateView behaviour. return TemplateView.get(self, request, *args, **kwargs) call_command('create_tenant', tenant=user.tenant.id) # Set is_active to True and save the user. user.is_active = True user.save() if settings.BILLING_ENABLED: tenant = user.tenant result = chargebee.Subscription.create({ 'plan_id': tenant.billing.plan.name, 'customer': { 'first_name': user.first_name, 'last_name': user.last_name, 'email': user.email, 'company': tenant.name, }, }) tenant.billing.customer_id = result.customer.id tenant.billing.subscription_id = result.subscription.id tenant.billing.save() # Programmatically login the user. user.backend = settings.AUTHENTICATION_BACKENDS[0] auth.login(request, user) return redirect(reverse_lazy('base_view'))
def invite_user_confirm(self, request, uidb36, token): """Performs confirmation of the invite user email.""" form = None admin_form = None # Get the user. try: uid_int = base36_to_int(uidb36) user = User.objects.get(id=uid_int) except (ValueError, User.DoesNotExist): valid_link = False user = None else: # Check the token. valid_link = default_token_generator.check_token(user, token) # Activate the account. if valid_link: # Process the form. if request.method == "POST": form = self.invite_confirm_form(user, request.POST) if form.is_valid(): user = form.save(commit=False) # Activate the user. user.is_active = True user.save() # Login the user. user = auth.authenticate(username=user.username, password=form.cleaned_data["password1"]) auth.login(request, user) # Message and redirect. self.message_user(request, "Thanks for signing up! We've saved your password and logged you in.") return redirect("{admin_site}:index".format( admin_site = self.admin_site.name, )) else: form = self.invite_confirm_form(user) admin_form = admin.helpers.AdminForm(form, self.invite_confirm_fieldsets, {}) # Render the template. if valid_link: title = "Welcome to the site!" else: title = "This link has expired" return render(request, self.invite_confirm_form_template, { "title": title, "opts": self.model._meta, "valid_link": valid_link, "form": form, "adminform": admin_form, "user": user, })
def custom_password_reset_confirm(request, uidb36=None, token=None, set_password_form=SetPasswordForm, template_name='registration/datasender_activate.html'): response = password_reset_confirm(request, uidb36=uidb36, token=token, set_password_form=set_password_form, template_name=template_name) if request.method == 'POST' and type(response) == HttpResponseRedirect: try: uid_int = base36_to_int(uidb36) user = User.objects.get(id=uid_int) except (ValueError, User.DoesNotExist): return response user.backend = 'django.contrib.auth.backends.ModelBackend' sign_in(request, user) redirect_url = django_settings.DATASENDER_DASHBOARD + '?activation=1' \ if user.get_profile().reporter else django_settings.HOME_PAGE return HttpResponseRedirect(redirect_url) return response
def check_token(self): uidb36 = self.kwargs.get('uidb36') token = self.kwargs.get('token') assert uidb36 is not None and token is not None user_id = base36_to_int(uidb36) user = User._default_manager.get(pk=user_id) valid = activation_token_generator.check_token(user, token) if not valid: raise PermissionDenied user.is_active = True user.save() # backend attribute needed to log user in user.backend = 'django.contrib.auth.backends.ModelBackend' login(self.request, user)
def is_expired(self, token): # Parse the token try: ts_b36, hash = token.split("-") ts = base36_to_int(ts_b36) except ValueError: return False if ts < 7228: ts = ts * 24 * 60 * 60 # Check the timestamp is within limit if (self._num_seconds(self._now()) - ts) > self.validity: return True return False
def check_token(self, user, token): """ Check that a password reset token is correct for a given user. """ # Parse the token try: ts_b36, hash = token.split("-") except ValueError: return False try: ts = base36_to_int(ts_b36) except ValueError: return False return True
def activate_email(request, uid, token): try: uid = base36_to_int(uid) user = User.objects.get(pk=uid) except User.DoesNotExist: user = None if user is not None and confirm_email_token_generator.check_token( user, token): user.is_active = True user.save() # Login automatically? return redirect('login') else: return HttpResponseBadRequest('Bad Token')
def url_str_to_user_pk(s): User = get_user_model() # TODO: Ugh, isn't there a cleaner way to determine whether or not # the PK is a str-like field? if getattr(User._meta.pk, 'remote_field', None): pk_field = User._meta.pk.remote_field.to._meta.pk else: pk_field = User._meta.pk if issubclass(type(pk_field), models.UUIDField): return pk_field.to_python(s) try: pk_field.to_python('a') pk = s except ValidationError: pk = base36_to_int(s) return pk
def active_account(request, uidb36, token): try: uid_int = base36_to_int(uidb36) except ValueError: raise Http404 user = get_object_or_404(User, id=uid_int) if user and default_token_generator.check_token(user, token): user.is_active = True user.save(update_fields=['is_active']) login(request, user, backend='django.contrib.auth.backends.ModelBackend') messages.success(request, 'Selamat, akun Anda sudah aktif') else: messages.warning(request, 'Maaf, ada masalah dengan aktivasi akun') return redirect("website:accounts:index")
def password_reset_confirm(request, uidb36=None, token=None, template_name='registration/password_reset_confirm.html', token_generator=default_token_generator, set_password_form=SetPasswordForm, post_reset_redirect=None, current_app=None, extra_context=None): """ View that checks the hash in a password reset link and presents a form for entering a new password. NOTE: we adapt this because we want to automatically log them in once they've set their new password. Because this is correct behaviour. And it's IMPOSSIBLE to do this in a form, because forms don't get a Request object as context. Sigh. """ UserModel = get_user_model() assert uidb36 is not None and token is not None # checked by URLconf if post_reset_redirect is None: post_reset_redirect = reverse('django.contrib.auth.views.password_reset_complete') try: uid_int = base36_to_int(uidb36) user = UserModel.objects.get(pk=uid_int) except (ValueError, OverflowError, UserModel.DoesNotExist): user = None if user is not None and token_generator.check_token(user, token): validlink = True if request.method == 'POST': form = set_password_form(user, request.POST) if form.is_valid(): user = form.save() user.backend = 'django.contrib.auth.backends.ModelBackend' login(request, user) return HttpResponseRedirect(post_reset_redirect) else: form = set_password_form(None) else: validlink = False form = None context = { 'form': form, 'validlink': validlink, } if extra_context is not None: context.update(extra_context) return TemplateResponse(request, template_name, context, current_app=current_app)
def check_token(self, user, token): """ Check that a password reset token is correct for a given user. """ if not (user and token): return False # Parse the token try: ts_b36, _ = token.split("-") except ValueError: return False try: ts = base36_to_int(ts_b36) new_ts = int(str(ts)[:12]) print(new_ts, "this is the new ts") except ValueError: return False # Check that the timestamp/uid has not been tampered with if not constant_time_compare( self._make_token_with_timestamp_fixed(user, ts), token): # RemovedInDjango40Warning: when the deprecation ends, replace # with: # return False if not constant_time_compare( self._make_token_with_timestamp_fixed( user, ts, legacy=True), token, ): #print(token, self._make_token_with_timestamp(user, ts, legacy=True)) return False print("pass through") # Check the timestamp is within limit. from django.conf import settings print(self._num_seconds(self._now())) print(ts, "this is the new timestamp") if (self._num_seconds(self._now()) - ts) > settings.PASSWORD_RESET_TIMEOUT: print(self._num_seconds(self._now())) #print(ts) print("timeout") return False return True
def validate(self, data): uid = data['uid'] key = data['key'] if data['new_password1'] != data['new_password2']: raise serializers.ValidationError( _('The two password fields did not match.')) try: pk = base36_to_int(uid) self.user = User.objects.get(pk=pk) if not password_reset_token_generator.check_token(self.user, key): raise serializers.ValidationError(_('bad token')) return data except EmailAddress.DoesNotExist: raise serializers.ValidationError(_('bad token'))
def password_reset_confirm(request, uidb36=None, token=None): response = django_password_reset_confirm(request, uidb36=uidb36, token=token, template_name='account/password_reset_confirm.html', post_reset_redirect=reverse('account-show')) # TODO: this is not the smartest of ideas # if django view returns 302, it is assumed that everything was fine # currently this seems safe to assume. if response.status_code == 302: uid_int = base36_to_int(uidb36) user = auth.models.User.objects.get(id=uid_int) login_user(request, user) messages.add_message(request, messages.SUCCESS, _('Your password has been set and you are now logged in.')) if 'next' in request.session: response['Location'] = request.session['next'] del request.session['next'] return response
def token_valid(timed_token): """Validate a timed token. Return the user id for which the token is valid, if the token is valid. Return -1 if the token is not (either because it is malformed or because it has expired). """ the_rand_value, the_user_id, the_soon, the_hmac = timed_token.split('|') computed_hmac = salted_hmac(the_soon, the_rand_value + str(the_user_id)).hexdigest()[:20] if computed_hmac != the_hmac: return -1 now = datetime.datetime.now().timestamp() if now > base36_to_int(the_soon): return -1 return int(the_user_id)
def test_cannot_change_mail_if_time_expired(self): regex_token = r"token=(([0-9a-z]*)-([0-9a-f]*))" new_mail = "*****@*****.**" send_confirmation_change_email(new_mail, str(self.person.pk)) match = re.search(regex_token, mail.outbox[0].body) ts = match.group(2) signature = match.group(3) token_expired = int_to_base36((base36_to_int(ts) - 8)) + "-" + signature params = { "new_email": new_mail, "user": str(self.person.pk), "token": token_expired, } ulr_expired = reverse("confirm_change_mail") + "?" + urlencode(params) res = self.client.get(ulr_expired) self.assertContains(res, "Il semble que celui-ci est expiré.")
def activate(self, request, uidb36, token): try: # uid = int(uidb64) uid = base36_to_int(uidb36) user = User.objects.get(pk=uid) except (TypeError, ValueError, OverflowError, User.DoesNotExist): user = None if user is not None and account_activation_token.check_token( user, token): user.email_verified = True user.save() # return user.email_verified return True # return HttpResponse('Thank you for confirming your Email.') else: # return user.email_verified return False
def password_reset_view(request, uidb36, token): try: user = User.objects.get(id=base36_to_int(uidb36)) except (ValueError, User.DoesNotExist): pass else: if default_token_generator.check_token(user, token): if request.method == 'GET': return render_to_response('reset.html') else: user.set_password(request.POST['new']) user.save() user.backend = AUTHENTICATION_BACKENDS[0] auth.login(request, user) return HttpResponseRedirect('/ide/') return HttpResponse(get_template('bad_reset.html').render(Context()), status=NOT_FOUND)