def forgot_password(request): """ Forgot password view Sends an email with an url to renew forgotten password """ fp_form = auth_forms.ForgotPassForm(request.form, username=request.GET.get('username')) if request.method == 'POST' and fp_form.validate(): # '$or' not available till mongodb 1.5.3 user = request.db.User.find_one( {'username': request.form['username']}) if not user: user = request.db.User.find_one( {'email': request.form['username']}) if user: if user.email_verified and user.status == 'active': user.fp_verification_key = unicode(uuid.uuid4()) user.fp_token_expire = datetime.datetime.now() + \ datetime.timedelta(days=10) user.save() send_fp_verification_email(user, request) messages.add_message( request, messages.INFO, _("An email has been sent with instructions on how to " "change your password.")) email_debug_message(request) else: # special case... we can't send the email because the # username is inactive / hasn't verified their email messages.add_message( request, messages.WARNING, _("Could not send password recovery email as " "your username is inactive or your account's " "email address has not been verified.")) return redirect( request, 'mediagoblin.user_pages.user_home', user=user.username) return redirect(request, 'mediagoblin.auth.login') else: messages.add_message( request, messages.WARNING, _("Couldn't find someone with that username or email.")) return redirect(request, 'mediagoblin.auth.forgot_password') return render_to_response( request, 'mediagoblin/auth/forgot_password.html', {'fp_form': fp_form})
def forgot_password(request): """ Forgot password view Sends an email with an url to renew forgotten password. Use GET querystring parameter 'username' to pre-populate the input field """ fp_form = auth_forms.ForgotPassForm(request.form, username=request.args.get('username')) if not (request.method == 'POST' and fp_form.validate()): # Either GET request, or invalid form submitted. Display the template return render_to_response(request, 'mediagoblin/auth/forgot_password.html', {'fp_form': fp_form}) # If we are here: method == POST and form is valid. username casing # has been sanitized. Store if a user was found by email. We should # not reveal if the operation was successful then as we don't want to # leak if an email address exists in the system. found_by_email = '@' in fp_form.username.data if found_by_email: user = User.query.filter_by( email = fp_form.username.data).first() # Don't reveal success in case the lookup happened by email address. success_message=_("If that email address (case sensitive!) is " "registered an email has been sent with instructions " "on how to change your password.") else: # found by username user = User.query.filter_by( username = fp_form.username.data).first() if user is None: messages.add_message(request, messages.WARNING, _("Couldn't find someone with that username.")) return redirect(request, 'mediagoblin.auth.forgot_password') success_message=_("An email has been sent with instructions " "on how to change your password.") if user and not(user.email_verified and user.status == 'active'): # Don't send reminder because user is inactive or has no verified email messages.add_message(request, messages.WARNING, _("Could not send password recovery email as your username is in" "active or your account's email address has not been verified.")) return redirect(request, 'mediagoblin.user_pages.user_home', user=user.username) # SUCCESS. Send reminder and return to login page if user: user.fp_verification_key = unicode(uuid.uuid4()) user.fp_token_expire = datetime.datetime.now() + \ datetime.timedelta(days=10) user.save() email_debug_message(request) send_fp_verification_email(user, request) messages.add_message(request, messages.INFO, success_message) return redirect(request, 'mediagoblin.auth.login')