def reset_email(userid, secret):
logout_internal()
user = User.query.filter_by(userid=userid).first()
if not user:
abort(404)
resetreq = PasswordResetRequest.query.filter_by(user=user, reset_code=secret).first()
if not resetreq:
return render_message(title="Invalid reset link",
message=Markup("The reset link you clicked on is invalid."))
if resetreq.created_at < datetime.utcnow() - timedelta(days=1):
# Reset code has expired (> 24 hours). Delete it
db.session.delete(resetreq)
db.session.commit()
return render_message(title="Expired reset link",
message=Markup("The reset link you clicked on has expired."))
# Reset code is valid. Now ask user to choose a new password
form = PasswordResetForm()
if form.validate_on_submit():
user.password = form.password.data
db.session.delete(resetreq)
db.session.commit()
return render_message(title="Password reset complete", message=Markup(
'Your password has been reset. You may now <a href="%s">login</a> with your new password.' % escape(url_for('login'))))
return render_form(form=form, title="Reset password", formid='reset', submit="Reset password",
message=Markup('Hello, <strong>%s</strong>. You may now choose a new password.' % user.fullname),
ajax=True)
def reset():
# User wants to reset password
# Ask for username or email, verify it, and send a reset code
form = PasswordResetRequestForm()
if form.validate_on_submit():
username = form.username.data
user = form.user
if '@' in username and not username.startswith('@'):
# They provided an email address. Send reset email to that address
email = username
else:
# Send to their existing address
# User.email is a UserEmail object
email = unicode(user.email)
if not email:
# They don't have an email address. Maybe they logged in via Twitter
# and set a local username and password, but no email. Could happen.
return render_message(title="Reset password", message=Markup(
"""
We do not have an email address for your account and therefore cannot
email you a reset link. Please contact
<a href="mailto:%s">%s</a> for assistance.
""" % (escape(app.config['SITE_SUPPORT_EMAIL']), escape(app.config['SITE_SUPPORT_EMAIL']))))
resetreq = PasswordResetRequest(user=user)
db.session.add(resetreq)
send_password_reset_link(email=email, user=user, secret=resetreq.reset_code)
db.session.commit()
return render_message(title="Reset password", message=Markup(
u"""
You were sent an email at <code>%s</code> with a link to reset your password.
Please check your email. If it doesn’t arrive in a few minutes,
it may have landed in your spam or junk folder.
The reset link is valid for 24 hours.
""" % escape(email)))
return render_form(form=form, title="Reset password", submit="Send reset code", ajax=True)
def confirm_email(md5sum, secret):
emailclaim = UserEmailClaim.query.filter_by(md5sum=md5sum).first()
if emailclaim is not None:
# Claim exists
if emailclaim.verification_code == secret:
# Verification code matches
if g.user == emailclaim.user:
# Not logged in as someone else
# Claim verified!
useremail = emailclaim.user.add_email(emailclaim.email, primary=emailclaim.user.email is None)
db.session.delete(emailclaim)
db.session.commit()
return render_message(title="Email address verified",
message=Markup("Hello %s! Your email address <code>%s</code> has now been verified." % (
escape(emailclaim.user.fullname), escape(useremail.email))))
else:
# Logged in as someone else. Abort
abort(403)
else:
# Verification code doesn't match
abort(403)
else:
# No such email claim
abort(404)
