def do_c(self, request, token = ''):
if not token:
# TODO: show a form where they can paste in their token?
raise Http404
token = token.rstrip('/').encode('utf8')
try:
value = signed.unsign(token, key = (
self.confirm_link_secret or settings.SECRET_KEY
) + self.confirm_link_salt)
except signed.BadSignature:
return self.show_message(
request, self.invalid_token_message,
self.invalid_token_message + ': ' + token
)
# Only line change compared with django-openid
user_id = value
user = self.lookup_user_by_id(user_id)
if not user: # Maybe the user was deleted?
return self.show_error(request, self.r_user_not_found_message)
# Check user is NOT active but IS in the correct group
if self.user_is_unconfirmed(user):
# Confirm them
try:
user = User.view('%s/users_by_username' % User._meta.app_label,
key=user.username, include_docs=True).first()
except ResourceNotFound:
user = None
if user:
self.mark_user_confirmed(user)
self.log_in_user(request, user)
return self.on_registration_complete(request)
else:
return self.show_error(request, self.c_already_confirmed_message)
def do_c(self, request, token = ''):
if not token:
# TODO: show a form where they can paste in their token?
raise Http404
token = token.rstrip('/').encode('utf8')
try:
value = signed.unsign(token, key = (
self.confirm_link_secret or settings.SECRET_KEY
) + self.confirm_link_salt)
except signed.BadSignature:
return self.show_message(
request, self.invalid_token_message,
self.invalid_token_message + ': ' + token
)
user_id = hex_to_int(value)
user = self.lookup_user_by_id(user_id)
if not user: # Maybe the user was deleted?
return self.show_error(request, r_user_not_found_message)
# Check user is NOT active but IS in the correct group
if self.user_is_unconfirmed(user):
# Confirm them
user.is_active = True
user.save()
self.mark_user_confirmed(user)
self.log_in_user(request, user)
return self.on_registration_complete(request)
else:
return self.show_error(request, self.c_already_confirmed_message)
def do_c(self, request, token=''):
if not token:
# TODO: show a form where they can paste in their token?
raise Http404
token = token.rstrip('/').encode('utf8')
try:
value = signed.unsign(
token,
key=(self.confirm_link_secret or settings.SECRET_KEY) +
self.confirm_link_salt)
except signed.BadSignature:
return self.show_message(request, self.invalid_token_message,
self.invalid_token_message + ': ' + token)
user_id = hex_to_int(value)
user = self.lookup_user_by_id(user_id)
if not user: # Maybe the user was deleted?
return self.show_error(request, self.r_user_not_found_message)
# Check user is NOT active but IS in the correct group
if self.user_is_unconfirmed(user):
# Confirm them
user.is_active = True
user.save()
self.mark_user_confirmed(user)
self.log_in_user(request, user)
return self.on_registration_complete(request)
else:
return self.show_error(request, self.c_already_confirmed_message)
def do_c(self, request, token=''):
if not token:
# TODO: show a form where they can paste in their token?
raise Http404
token = token.rstrip('/').encode('utf8')
try:
value = signed.unsign(
token,
key=(self.confirm_link_secret or settings.SECRET_KEY) +
self.confirm_link_salt)
except signed.BadSignature:
return self.show_message(request, self.invalid_token_message,
self.invalid_token_message + ': ' + token)
# Only line change compared with django-openid
user_id = value
user = self.lookup_user_by_id(user_id)
if not user: # Maybe the user was deleted?
return self.show_error(request, self.r_user_not_found_message)
# Check user is NOT active but IS in the correct group
if self.user_is_unconfirmed(user):
# Confirm them
try:
user = User.view('%s/users_by_username' % User._meta.app_label,
reduce=False,
key=user.username,
include_docs=True).first()
except ResourceNotFound:
user = None
if user:
self.mark_user_confirmed(user)
self.log_in_user(request, user)
return self.on_registration_complete(request)
else:
return self.show_error(request, self.c_already_confirmed_message)
def unsign_detects_tampering(self):
value = "Another string"
signed_value = signed.sign(value)
transforms = (lambda s: s.upper(), lambda s: s + "a", lambda s: "a" + s[1:], lambda s: s.replace(":", ""))
self.assertEqual(value, signed.unsign(signed_value))
for transform in transforms:
self.assertRaises(signed.BadSignature, signed.unsign, transform(signed_value))
def sign_is_reversible(self):
examples = (
'q;wjmbk;wkmb',
'3098247529087',
'3098247:529:087:',
'jkw osanteuh ,rcuh nthu aou oauh ,ud du',
u'\u2019'.encode('utf8'),
)
for example in examples:
self.assert_(example != signed.sign(example))
self.assertEqual(example, signed.unsign(utils.sign(example)))
def sign_is_reversible(self):
examples = (
'q;wjmbk;wkmb',
'3098247529087',
'3098247:529:087:',
'jkw osanteuh ,rcuh nthu aou oauh ,ud du',
u'\u2019'.encode('utf8'),
)
for example in examples:
self.assert_(example != signed.sign(example))
self.assertEqual(example, signed.unsign(utils.sign(example)))
def sign_is_reversible(self):
examples = (
"q;wjmbk;wkmb",
"3098247529087",
"3098247:529:087:",
"jkw osanteuh ,rcuh nthu aou oauh ,ud du",
u"\u2019".encode("utf8"),
)
for example in examples:
self.assert_(example != signed.sign(example))
self.assertEqual(example, signed.unsign(utils.sign(example)))
def unsign_detects_tampering(self):
value = 'Another string'
signed_value = signed.sign(value)
transforms = (
lambda s: s.upper(),
lambda s: s + 'a',
lambda s: 'a' + s[1:],
lambda s: s.replace(':', ''),
)
self.assertEqual(value, signed.unsign(signed_value))
for transform in transforms:
self.assertRaises(signed.BadSignature, signed.unsign,
transform(signed_value))
def unsign_detects_tampering(self):
value = 'Another string'
signed_value = signed.sign(value)
transforms = (
lambda s: s.upper(),
lambda s: s + 'a',
lambda s: 'a' + s[1:],
lambda s: s.replace(':', ''),
)
self.assertEqual(value, signed.unsign(signed_value))
for transform in transforms:
self.assertRaises(
signed.BadSignature, signed.unsign, transform(signed_value)
)
def do_r(self, request, token=''):
if not token:
# TODO: show a form where they can paste in their token?
raise Http404
token = token.rstrip('/').encode('utf8')
try:
value = signed.unsign(
token,
key=(self.recovery_link_secret or settings.SECRET_KEY) +
self.recovery_link_salt)
except signed.BadSignature:
return self.show_message(request, self.invalid_token_message,
self.invalid_token_message + ': ' + token)
hex_days, hex_user_id = (value.split('.') + ['', ''])[:2]
days = hex_to_int(hex_days)
user_id = hex_to_int(hex_user_id)
user = self.lookup_user_by_id(user_id)
if not user: # Maybe the user was deleted?
return self.show_error(request, r_user_not_found_message)
# Has the token expired?
now_days = (datetime.date.today() - self.recovery_origin_date).days
if (now_days - days) > self.recovery_expires_after_days:
return self.render(
request, self.recovery_expired_template, {
'days': self.recovery_expires_after_days,
'recover_url': urljoin(request.path, '../../recover/'),
})
# Token is valid! Log them in as that user and show the recovery page
self.log_in_user(request, user)
return self.render(
request, self.recovery_complete_template, {
'change_password_url': urljoin(request.path,
'../../password/'),
'associate_url': urljoin(request.path, '../../associations/'),
'user': user,
})
def do_r(self, request, token = ''):
if not token:
# TODO: show a form where they can paste in their token?
raise Http404
token = token.rstrip('/').encode('utf8')
try:
value = signed.unsign(token, key = (
self.recovery_link_secret or settings.SECRET_KEY
) + self.recovery_link_salt)
except signed.BadSignature:
return self.show_message(
request, self.invalid_token_message,
self.invalid_token_message + ': ' + token
)
hex_days, hex_user_id = (value.split('.') + ['', ''])[:2]
days = hex_to_int(hex_days)
user_id = hex_to_int(hex_user_id)
user = self.lookup_user_by_id(user_id)
if not user: # Maybe the user was deleted?
return self.show_error(request, r_user_not_found_message)
# Has the token expired?
now_days = (datetime.date.today() - self.recovery_origin_date).days
if (now_days - days) > self.recovery_expires_after_days:
return self.render(request, self.recovery_expired_template, {
'days': self.recovery_expires_after_days,
'recover_url': urljoin(request.path, '../../recover/'),
})
# Token is valid! Log them in as that user and show the recovery page
self.log_in_user(request, user)
return self.render(request, self.recovery_complete_template, {
'change_password_url': urljoin(request.path, '../../password/'),
'associate_url': urljoin(request.path, '../../associations/'),
'user': user,
})
