def forgot_password(request): """Display forgot password form or do the password recovery """ import urllib settings = request.registry.settings _ = get_localizer(request) factory = FormFactory(_) ForgotPasswordForm = factory.make_forgot_password_form() form = ForgotPasswordForm(request.params) session = request.db_session user_model = UserModel(session) if request.method == 'POST' and form.validate(): email = request.params['email'] user = user_model.get_by_email(email) if user is None: msg = _(u'Cannot find the user') form.email.errors.append(msg) return dict(form=form) user_name = user.user_name user_id = user.user_id # TODO: limit frequency here # generate verification auth_secret_key = settings['auth_secret_key'] code = user_model.get_recovery_code(auth_secret_key, user_id) link = request.route_url('account.recovery_password') query = dict(user_name=user_name, code=code) link = link + '?' + urllib.urlencode(query) params = dict(link=link, user_name=user_name) html = render_mail( request, 'ez2pay:templates/mails/password_recovery.genshi', params ) send_mail( request=request, subject=_('ez2pay password recovery'), to_addresses=[email], format='html', body=html ) request.add_flash(_(u'To reset your password, please check your ' 'mailbox and click the password recovery link')) return dict(form=form)
def recovery_password(request): """Display password recovery form or do the password change """ _ = get_localizer(request) settings = request.registry.settings user_model = UserModel(request.db_session) user_name = request.params['user_name'] code = request.params['code'] user = user_model.get_by_name(user_name) if user is None: return HTTPNotFound(_('No such user %s') % user_name) user_id = user.user_id # generate verification auth_secret_key = settings['auth_secret_key'] valid_code = user_model.get_recovery_code(auth_secret_key, user_id) if code != valid_code: return HTTPForbidden(_('Bad password recovery link')) factory = FormFactory(_) RecoveryPasswordForm = factory.make_recovery_password_form() form = RecoveryPasswordForm(request.params, user_name=user_name, code=code) invalid_msg = _(u'Invalid password recovery link') redirect_url = request.route_url('front.home') user = user_model.get_by_name(user_name) if user is None: request.add_flash(invalid_msg, 'error') raise HTTPFound(location=redirect_url) user_id = user.user_id if request.method == 'POST' and form.validate(): new_password = request.POST['new_password'] with transaction.manager: user_model.update_password(user_id, new_password) msg = _(u'Your password has been updated') request.add_flash(msg, 'success') raise HTTPFound(location=redirect_url) return dict(form=form)