def change_forgotten_password(request, user_id, token):
User = auth.get_user_model()
try:
user = User.objects.get(pk=user_id)
except User.DoesNotExist:
message = _("Form link is invalid. Please try again.")
return Response({'detail': message}, status=status.HTTP_400_BAD_REQUEST)
if not is_password_change_token_valid(user, token):
message = _("Form link is invalid. Please try again.")
return Response({'detail': message},
status=status.HTTP_400_BAD_REQUEST)
try:
form = ResetPasswordForm()
form.confirm_allowed(user)
except ValidationError:
message = _("Your link has expired. Please request new one.")
return Response({'detail': message},
status=status.HTTP_400_BAD_REQUEST)
if request.method == 'POST':
return process_forgotten_password_form(request, user)
else:
return Response({
'username': user.username,
'email': user.email
})
def change_forgotten_password(request, pk, token):
User = auth.get_user_model()
invalid_message = _("Form link is invalid. Please try again.")
expired_message = _("Your link has expired. Please request new one.")
try:
try:
user = User.objects.get(pk=pk)
except User.DoesNotExist:
raise PasswordChangeFailed(invalid_message)
if request.user.is_authenticated() and request.user.id != user.id:
raise PasswordChangeFailed(invalid_message)
if not is_password_change_token_valid(user, token):
raise PasswordChangeFailed(invalid_message)
if user.requires_activation:
raise PasswordChangeFailed(expired_message)
if get_user_ban(user):
raise PasswordChangeFailed(expired_message)
except PasswordChangeFailed as e:
return Response({'detail': e.args[0]},
status=status.HTTP_400_BAD_REQUEST)
try:
new_password = request.data.get('password', '').strip()
validate_password(new_password)
user.set_password(new_password)
user.save()
except ValidationError as e:
return Response({'detail': e.messages[0]},
status=status.HTTP_400_BAD_REQUEST)
return Response({'username': user.username})
def reset_password_form(request, pk, token):
requesting_user = get_object_or_404(get_user_model(), pk=pk)
try:
if (request.user.is_authenticated
and request.user.id != requesting_user.id):
message = _("%(user)s, your link has expired. "
"Please request new link and try again.")
message = message % {'user': requesting_user.username}
raise ResetError(message)
if not is_password_change_token_valid(requesting_user, token):
message = _("%(user)s, your link is invalid. "
"Please try again or request new link.")
message = message % {'user': requesting_user.username}
raise ResetError(message)
ban = get_user_ban(requesting_user)
if ban:
raise Banned(ban)
except ResetError as e:
return render(request,
'misago/forgottenpassword/error.html', {
'message': e.args[0],
},
status=400)
api_url = reverse('misago:api:change-forgotten-password',
kwargs={
'pk': pk,
'token': token,
})
request.frontend_context['CHANGE_PASSWORD_API'] = api_url
return render(request, 'misago/forgottenpassword/form.html')
def reset_password_form(request, user_id, token):
User = get_user_model()
requesting_user = get_object_or_404(User.objects, pk=user_id)
try:
if (request.user.is_authenticated() and
request.user.id != requesting_user.id):
message = _("%(user)s, your link has expired. "
"Please request new link and try again.")
message = message % {'user': requesting_user.username}
raise ResetError(message)
if not is_password_change_token_valid(requesting_user, token):
message = _("%(user)s, your link is invalid. "
"Please try again or request new link.")
message = message % {'user': requesting_user.username}
raise ResetError(message)
ban = get_user_ban(requesting_user)
if ban:
raise Banned(ban)
except ResetError as e:
return render(request, 'misago/forgottenpassword/error.html', {
'message': e.args[0],
}, status=400)
api_url = reverse('misago:api:change_forgotten_password', kwargs={
'user_id': user_id,
'token': token,
})
request.frontend_context['CHANGE_PASSWORD_API_URL'] = api_url
return render(request, 'misago/forgottenpassword/form.html')
def change_forgotten_password(request, user_id, token):
User = auth.get_user_model()
invalid_message = _("Form link is invalid. Please try again.")
try:
user = User.objects.get(pk=user_id)
if request.is_authenticated() and request.user.id != user.id:
raise User.DoesNotExist()
except User.DoesNotExist:
return Response({'detail': invalid_message},
status=status.HTTP_400_BAD_REQUEST)
if not is_password_change_token_valid(user, token):
return Response({'detail': invalid_message},
status=status.HTTP_400_BAD_REQUEST)
try:
form = ResetPasswordForm()
form.confirm_allowed(user)
except ValidationError:
message = _("Your link has expired. Please request new one.")
return Response({'detail': message},
status=status.HTTP_400_BAD_REQUEST)
if request.method == 'POST':
return process_forgotten_password_form(request, user)
else:
return Response({
'username': user.username,
'email': user.email
})
def change_forgotten_password(request, pk, token):
"""
POST /auth/change-password/user/token/ with CSRF and new password
will change forgotten password
"""
invalid_message = _("Form link is invalid. Please try again.")
expired_message = _("Your link has expired. Please request new one.")
try:
try:
user = UserModel.objects.get(pk=pk, is_active=True)
except UserModel.DoesNotExist:
raise PasswordChangeFailed(invalid_message)
if request.user.is_authenticated and request.user.id != user.id:
raise PasswordChangeFailed(invalid_message)
if not is_password_change_token_valid(user, token):
raise PasswordChangeFailed(invalid_message)
if user.requires_activation:
raise PasswordChangeFailed(expired_message)
if get_user_ban(user):
raise PasswordChangeFailed(expired_message)
except PasswordChangeFailed as e:
return Response(
{
'detail': e.args[0],
},
status=status.HTTP_400_BAD_REQUEST,
)
try:
new_password = request.data.get('password', '')
validate_password(new_password, user=user)
user.set_password(new_password)
user.save()
except ValidationError as e:
return Response(
{
'detail': e.messages[0],
},
status=status.HTTP_400_BAD_REQUEST,
)
return Response({'username': user.username})
def change_forgotten_password(request, pk, token):
"""
POST /auth/change-password/user/token/ with CSRF and new password
will change forgotten password
"""
invalid_message = _("Form link is invalid. Please try again.")
expired_message = _("Your link has expired. Please request new one.")
try:
try:
user = UserModel.objects.get(pk=pk, is_active=True)
except UserModel.DoesNotExist:
raise PasswordChangeFailed(invalid_message)
if request.user.is_authenticated and request.user.id != user.id:
raise PasswordChangeFailed(invalid_message)
if not is_password_change_token_valid(user, token):
raise PasswordChangeFailed(invalid_message)
if user.requires_activation:
raise PasswordChangeFailed(expired_message)
if get_user_ban(user):
raise PasswordChangeFailed(expired_message)
except PasswordChangeFailed as e:
return Response(
{
'detail': e.args[0],
},
status=status.HTTP_400_BAD_REQUEST,
)
try:
new_password = request.data.get('password', '')
validate_password(new_password, user=user)
user.set_password(new_password)
user.save()
except ValidationError as e:
return Response(
{
'detail': e.messages[0],
},
status=status.HTTP_400_BAD_REQUEST,
)
return Response({'username': user.username})
def decorator(request, *args, **kwargs):
if 'user_id' in kwargs:
User = get_user_model()
user = get_object_or_404(User.objects, pk=kwargs.pop('user_id'))
kwargs['user'] = user
if not is_password_change_token_valid(user, kwargs['token']):
message = _("Your link is invalid. Please try again.")
return Response({'detail': message},
status=status.HTTP_404_NOT_FOUND)
try:
form = ResetPasswordForm()
form.confirm_allowed(user)
except ValidationError:
message = _("Your link has expired. Please request new one.")
return Response({'detail': message},
status=status.HTTP_404_NOT_FOUND)
return f(request, *args, **kwargs)
def decorator(request, *args, **kwargs):
if 'user_id' in kwargs:
User = get_user_model()
user = get_object_or_404(User.objects, pk=kwargs.pop('user_id'))
kwargs['user'] = user
if not is_password_change_token_valid(user, kwargs['token']):
message = _("Your link is invalid. Please try again.")
return Response({'detail': message},
status=status.HTTP_404_NOT_FOUND)
try:
form = ResetPasswordForm()
form.confirm_allowed(user)
except ValidationError:
message = _("Your link has expired. Please request new one.")
return Response({'detail': message},
status=status.HTTP_404_NOT_FOUND)
return f(request, *args, **kwargs)
def change_forgotten_password(request, user_id, token):
User = auth.get_user_model()
invalid_message = _("Form link is invalid. Please try again.")
expired_message = _("Your link has expired. Please request new one.")
try:
try:
user = User.objects.get(pk=user_id)
except User.DoesNotExist:
raise PasswordChangeFailed(invalid_message)
if request.user.is_authenticated() and request.user.id != user.id:
raise PasswordChangeFailed(invalid_message)
if not is_password_change_token_valid(user, token):
raise PasswordChangeFailed(invalid_message)
if user.requires_activation:
raise PasswordChangeFailed(expired_message)
if get_user_ban(user):
raise PasswordChangeFailed(expired_message)
except PasswordChangeFailed as e:
return Response({
'detail': e.args[0]
}, status=status.HTTP_400_BAD_REQUEST)
try:
new_password = request.data.get('password', '').strip()
validate_password(new_password)
user.set_password(new_password)
user.save()
except ValidationError as e:
return Response({
'detail': e.messages[0]
}, status=status.HTTP_400_BAD_REQUEST)
return Response({
'username': user.username
})
def reset_password_form(request, pk, token):
requesting_user = get_object_or_404(get_user_model(),
pk=pk,
is_active=True)
try:
if (request.user.is_authenticated
and request.user.id != requesting_user.id):
message = _(
"%(user)s, your link has expired. Please request new link and try again."
)
raise ResetError(message % {'user': requesting_user.username})
if not is_password_change_token_valid(requesting_user, token):
message = _(
"%(user)s, your link is invalid. Please try again or request new link."
)
raise ResetError(message % {'user': requesting_user.username})
ban = get_user_ban(requesting_user)
if ban:
raise Banned(ban)
except ResetError as e:
return render(request,
'misago/forgottenpassword/error.html', {
'message': e.args[0],
},
status=400)
request.frontend_context['store'].update({
'forgotten_password': {
'id': pk,
'token': token,
},
})
return render(request, 'misago/forgottenpassword/form.html')
def validate_token(self, value):
if not is_password_change_token_valid(self.instance, value):
raise ValidationError(
_("Form link is invalid or expired. Please try again."))
return value
