def post(self, request, *args, **kwargs):
serializer = self.serializer_class(data=request.data)
serializer.is_valid(raise_exception=True)
email = serializer.validated_data['email']
# before we continue, delete all existing expired tokens
password_reset_token_validation_time = get_password_reset_token_expiry_time()
# datetime.now minus expiry hours
now_minus_expiry_time = timezone.now() - timedelta(hours=password_reset_token_validation_time)
# delete all tokens where created_at < now - 24 hours
clear_expired(now_minus_expiry_time)
# find a user by email address (case insensitive search)
users = User.objects.filter(**{'{}__iexact'.format(get_password_reset_lookup_field()): email})
active_user_found = False
# iterate over all users and check if there is any user that is active
# also check whether the password can be changed (is useable), as there could be users that are not allowed
# to change their password (e.g., LDAP user)
for user in users:
if user.eligible_for_reset():
active_user_found = True
# No active user found, raise a validation error
# but not if DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE == True
if not active_user_found and not getattr(settings, 'DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE', False):
raise exceptions.ValidationError({
'email': [_(
"There is no active user associated with this e-mail address or the password can not be changed")],
})
# last but not least: iterate over all users that are active and can change their password
# and create a Reset Password Token and send a signal with the created token
for user in users:
if user.eligible_for_reset():
# define the token as none for now
token = None
# check if the user already has a token
if user.password_reset_tokens.all().count() > 0:
# yes, already has a token, re-use this token
token = user.password_reset_tokens.all()[0]
else:
# no token exists, generate a new token
token = ResetPasswordToken.objects.create(
user=user,
user_agent=request.META.get(HTTP_USER_AGENT_HEADER, ''),
ip_address=request.META.get(HTTP_IP_ADDRESS_HEADER, ''),
)
# send a signal that the password token was created
# let whoever receives this signal handle sending the email for the password reset
reset_password_token_created.send(sender=self.__class__, instance=self, reset_password_token=token)
# done
message = get_response_message("PASSWORD_REQUEST_ACCEPT")
return Response({"status_code": 200, "status": "OK", "message": message})
def post(self, request, *args, **kwargs):
serializer = self.serializer_class(data=request.data)
serializer.is_valid(raise_exception=True)
email = serializer.validated_data['email']
password_reset_token_validation_time = get_password_reset_token_expiry_time()
now_minus_expiry_time = timezone.now(
) - timedelta(hours=password_reset_token_validation_time)
clear_expired(now_minus_expiry_time)
users = User.objects.filter(
**{'{}__iexact'.format(get_password_reset_lookup_field()): email})
active_user_found = False
for user in users:
if user.eligible_for_reset():
active_user_found = True
if not active_user_found and not getattr(settings, 'DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE', False):
raise exceptions.ValidationError({
'email': [_(
"There is no active user associated with this e-mail address or the password can not be changed")],
})
for user in users:
if user.eligible_for_reset():
token = None
if user.password_reset_tokens.all().count() > 0:
token = user.password_reset_tokens.all()[0]
else:
token = ResetPasswordToken.objects.create(
user=user,
user_agent=request.META.get(
HTTP_USER_AGENT_HEADER, ''),
ip_address=request.META.get(
HTTP_IP_ADDRESS_HEADER, ''),
)
reset_password_token_created.send(
sender=self.__class__, instance=self, reset_password_token=token)
return Response({'status': 'OK'})
def check_active_user_by_mail(email):
"""Check that the requested email is linked to active account.
:param email: the email requested to reset the token.
:type email: str
:raises exceptions.ValidationError: [description]
:return: a queryset of active users
:rtype: Queryset<User>
"""
users = User.objects.filter(
**{
"{passwoord}__iexact".format(passwoord=get_password_reset_lookup_field(
)):
email
}, )
active_user_found = False
# iterate over all users and check if there is any user that is active
# also check whether the password can be changed (is useable), as there
# could be users that are not allowed
# to change their password (e.g., LDAP user)
for user in users:
if user.eligible_for_reset():
active_user_found = True
# No active user found, raise a validation error
# but not if DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE == True
if check_active_user( # noqa: WPS337
active_user_found,
"DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE"):
raise exceptions.ValidationError(
{
"email": [
"{0} {1}".format(
"There is no active user associated with this e-mail",
"address or the password can not be changed",
)
],
}, )
return users
def get_users(self, value):
return User.objects.filter(
**{'{}__iexact'.format(get_password_reset_lookup_field()): value})
