def forgot_password(request):
"""
Forgot password view
Sends an email with an url to renew forgotten password
"""
fp_form = auth_forms.ForgotPassForm(request.form,
username=request.GET.get('username'))
if request.method == 'POST' and fp_form.validate():
# '$or' not available till mongodb 1.5.3
user = request.db.User.find_one(
{'username': request.form['username']})
if not user:
user = request.db.User.find_one(
{'email': request.form['username']})
if user:
if user.email_verified and user.status == 'active':
user.fp_verification_key = unicode(uuid.uuid4())
user.fp_token_expire = datetime.datetime.now() + \
datetime.timedelta(days=10)
user.save()
send_fp_verification_email(user, request)
messages.add_message(
request,
messages.INFO,
_("An email has been sent with instructions on how to "
"change your password."))
email_debug_message(request)
else:
# special case... we can't send the email because the
# username is inactive / hasn't verified their email
messages.add_message(
request,
messages.WARNING,
_("Could not send password recovery email as "
"your username is inactive or your account's "
"email address has not been verified."))
return redirect(
request, 'mediagoblin.user_pages.user_home',
user=user.username)
return redirect(request, 'mediagoblin.auth.login')
else:
messages.add_message(
request,
messages.WARNING,
_("Couldn't find someone with that username or email."))
return redirect(request, 'mediagoblin.auth.forgot_password')
return render_to_response(
request,
'mediagoblin/auth/forgot_password.html',
{'fp_form': fp_form})
def forgot_password(request):
"""
Forgot password view
Sends an email with an url to renew forgotten password.
Use GET querystring parameter 'username' to pre-populate the input field
"""
fp_form = auth_forms.ForgotPassForm(request.form,
username=request.args.get('username'))
if not (request.method == 'POST' and fp_form.validate()):
# Either GET request, or invalid form submitted. Display the template
return render_to_response(request,
'mediagoblin/auth/forgot_password.html', {'fp_form': fp_form})
# If we are here: method == POST and form is valid. username casing
# has been sanitized. Store if a user was found by email. We should
# not reveal if the operation was successful then as we don't want to
# leak if an email address exists in the system.
found_by_email = '@' in fp_form.username.data
if found_by_email:
user = User.query.filter_by(
email = fp_form.username.data).first()
# Don't reveal success in case the lookup happened by email address.
success_message=_("If that email address (case sensitive!) is "
"registered an email has been sent with instructions "
"on how to change your password.")
else: # found by username
user = User.query.filter_by(
username = fp_form.username.data).first()
if user is None:
messages.add_message(request,
messages.WARNING,
_("Couldn't find someone with that username."))
return redirect(request, 'mediagoblin.auth.forgot_password')
success_message=_("An email has been sent with instructions "
"on how to change your password.")
if user and not(user.email_verified and user.status == 'active'):
# Don't send reminder because user is inactive or has no verified email
messages.add_message(request,
messages.WARNING,
_("Could not send password recovery email as your username is in"
"active or your account's email address has not been verified."))
return redirect(request, 'mediagoblin.user_pages.user_home',
user=user.username)
# SUCCESS. Send reminder and return to login page
if user:
user.fp_verification_key = unicode(uuid.uuid4())
user.fp_token_expire = datetime.datetime.now() + \
datetime.timedelta(days=10)
user.save()
email_debug_message(request)
send_fp_verification_email(user, request)
messages.add_message(request, messages.INFO, success_message)
return redirect(request, 'mediagoblin.auth.login')
