def do_login():
if login.current_user.is_authenticated():
return redirect(request.args.get('next') or url_for('index'))
if request.method == "POST":
try:
user = User().getObjectsByKey(
"username",
unicode(request.form.get("username")).lower(),
limit=1)[0]
except Exception as e:
traceback.print_exc(file=sys.stdout)
user = None
print "User not found"
time.sleep(
1 + random.random()
) # Wait for some time to make sure we don't reveal that the username is not known
if user is not None and user.checkPassword(
urllib2.unquote(request.form.get("password").encode('utf-8'))):
print "Username and password correct"
login.login_user(user)
return redirect(request.args.get('next') or url_for('index'))
print "Password incorrect"
return render_template(
"/users/login.html",
name="Log in",
error="This username/password combination does not exist.")
else:
return render_template("/users/login.html", name="Log in")
def userSave(id):
try:
user = User().getObjectsByKey("_id", id)[0]
except Exception as e:
return abort(404)
data = dict(request.form)
oldPassword = urllib2.unquote(
data.get("old-password", [""])[0].decode("utf-8"))
newPassword = urllib2.unquote(
data.get("new-password", [""])[0].decode("utf-8"))
newPasswordAgain = urllib2.unquote(
data.get("new-password-again", [""])[0].decode("utf-8"))
if len(newPassword) > 0:
if not user.checkPassword(oldPassword):
return redirect(
request.args.get("back", "/users/%s/edit" % id) +
"?error=password-incorrect")
if newPassword != newPasswordAgain:
return redirect(
request.args.get("back", "/users/%s/edit" % id) +
"?error=password-nomatch")
if len(newPassword) < 8:
return redirect(
request.args.get("back", "/users/%s/edit" % id) +
"?error=password-tooshort")
if newPassword in User.getMostCommonPasswords():
return redirect(
request.args.get("back", "/users/%s/edit" % id) +
"?error=password-toocommon")
user.setPassword(newPassword)
user.username = data["username"][0]
user.firstname = data["firstname"][0]
user.lastname = data["lastname"][0]
user.email = data["email"][0]
user.save()
return redirect(
request.args.get("back", "/users/%s/edit" % id) + "?success=true")