def post(self, request, *args, **kwargs): serializer = self.serializer_class(data=request.data) serializer.is_valid(raise_exception=True) email = serializer.validated_data['email'] # before we continue, delete all existing expired tokens password_reset_token_validation_time = get_password_reset_token_expiry_time() # datetime.now minus expiry hours now_minus_expiry_time = timezone.now() - timedelta(hours=password_reset_token_validation_time) # delete all tokens where created_at < now - 24 hours clear_expired(now_minus_expiry_time) # find a user by email address (case insensitive search) users = User.objects.filter(**{'{}__iexact'.format(get_password_reset_lookup_field()): email}) active_user_found = False # iterate over all users and check if there is any user that is active # also check whether the password can be changed (is useable), as there could be users that are not allowed # to change their password (e.g., LDAP user) for user in users: if user.eligible_for_reset(): active_user_found = True # No active user found, raise a validation error # but not if DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE == True if not active_user_found and not getattr(settings, 'DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE', False): raise exceptions.ValidationError({ 'email': [_( "There is no active user associated with this e-mail address or the password can not be changed")], }) # last but not least: iterate over all users that are active and can change their password # and create a Reset Password Token and send a signal with the created token for user in users: if user.eligible_for_reset(): # define the token as none for now token = None # check if the user already has a token if user.password_reset_tokens.all().count() > 0: # yes, already has a token, re-use this token token = user.password_reset_tokens.all()[0] else: # no token exists, generate a new token token = ResetPasswordToken.objects.create( user=user, user_agent=request.META.get(HTTP_USER_AGENT_HEADER, ''), ip_address=request.META.get(HTTP_IP_ADDRESS_HEADER, ''), ) # send a signal that the password token was created # let whoever receives this signal handle sending the email for the password reset reset_password_token_created.send(sender=self.__class__, instance=self, reset_password_token=token) # done message = get_response_message("PASSWORD_REQUEST_ACCEPT") return Response({"status_code": 200, "status": "OK", "message": message})
def post(self, request, *args, **kwargs): serializer = self.serializer_class(data=request.data) serializer.is_valid(raise_exception=True) email = serializer.validated_data['email'] password_reset_token_validation_time = get_password_reset_token_expiry_time() now_minus_expiry_time = timezone.now( ) - timedelta(hours=password_reset_token_validation_time) clear_expired(now_minus_expiry_time) users = User.objects.filter( **{'{}__iexact'.format(get_password_reset_lookup_field()): email}) active_user_found = False for user in users: if user.eligible_for_reset(): active_user_found = True if not active_user_found and not getattr(settings, 'DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE', False): raise exceptions.ValidationError({ 'email': [_( "There is no active user associated with this e-mail address or the password can not be changed")], }) for user in users: if user.eligible_for_reset(): token = None if user.password_reset_tokens.all().count() > 0: token = user.password_reset_tokens.all()[0] else: token = ResetPasswordToken.objects.create( user=user, user_agent=request.META.get( HTTP_USER_AGENT_HEADER, ''), ip_address=request.META.get( HTTP_IP_ADDRESS_HEADER, ''), ) reset_password_token_created.send( sender=self.__class__, instance=self, reset_password_token=token) return Response({'status': 'OK'})
def check_active_user_by_mail(email): """Check that the requested email is linked to active account. :param email: the email requested to reset the token. :type email: str :raises exceptions.ValidationError: [description] :return: a queryset of active users :rtype: Queryset<User> """ users = User.objects.filter( **{ "{passwoord}__iexact".format(passwoord=get_password_reset_lookup_field( )): email }, ) active_user_found = False # iterate over all users and check if there is any user that is active # also check whether the password can be changed (is useable), as there # could be users that are not allowed # to change their password (e.g., LDAP user) for user in users: if user.eligible_for_reset(): active_user_found = True # No active user found, raise a validation error # but not if DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE == True if check_active_user( # noqa: WPS337 active_user_found, "DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE"): raise exceptions.ValidationError( { "email": [ "{0} {1}".format( "There is no active user associated with this e-mail", "address or the password can not be changed", ) ], }, ) return users
def get_users(self, value): return User.objects.filter( **{'{}__iexact'.format(get_password_reset_lookup_field()): value})