def recover_confirm(request, user_id, hash):
try:
password_hash = LostPasswordHash.objects.get(user=user_id, hash=hash)
if not password_hash.is_valid():
password_hash.delete()
raise LostPasswordHash.DoesNotExist
user = password_hash.user
except LostPasswordHash.DoesNotExist:
context = {}
tpl = "sentry/account/recover/failure.html"
else:
tpl = "sentry/account/recover/confirm.html"
if request.method == "POST":
form = ChangePasswordRecoverForm(request.POST)
if form.is_valid():
user.set_password(form.cleaned_data["password"])
user.save()
# Ugly way of doing this, but Django requires the backend be set
user = authenticate(username=user.username, password=form.cleaned_data["password"])
login_user(request, user)
password_hash.delete()
return login_redirect(request)
else:
form = ChangePasswordRecoverForm()
context = {"form": form}
return render_to_response(tpl, context, request)
def recover_confirm(request, user_id, hash):
try:
password_hash = LostPasswordHash.objects.get(user=user_id, hash=hash)
if not password_hash.is_valid():
password_hash.delete()
raise LostPasswordHash.DoesNotExist
user = password_hash.user
except LostPasswordHash.DoesNotExist:
context = {}
tpl = 'sentry/account/recover/failure.html'
else:
tpl = 'sentry/account/recover/confirm.html'
if request.method == 'POST':
form = ChangePasswordRecoverForm(request.POST)
if form.is_valid():
with transaction.atomic():
user.set_password(form.cleaned_data['password'])
user.refresh_session_nonce(request)
user.save()
# Ugly way of doing this, but Django requires the backend be set
user = authenticate(
username=user.username,
password=form.cleaned_data['password'],
)
login_user(request, user)
password_hash.delete()
capture_security_activity(
account=user,
type='password-changed',
actor=request.user,
ip_address=request.META['REMOTE_ADDR'],
send_email=True,
)
return login_redirect(request)
else:
form = ChangePasswordRecoverForm()
context = {
'form': form,
}
return render_to_response(tpl, context, request)
def recover_confirm(request, user_id, hash, mode='recover'):
try:
password_hash = LostPasswordHash.objects.get(user=user_id, hash=hash)
if not password_hash.is_valid():
password_hash.delete()
raise LostPasswordHash.DoesNotExist
user = password_hash.user
except LostPasswordHash.DoesNotExist:
tpl = get_template('failure', mode)
return render_to_response(tpl, {}, request)
if request.method == 'POST':
form = ChangePasswordRecoverForm(request.POST)
if form.is_valid():
with transaction.atomic():
user.set_password(form.cleaned_data['password'])
user.refresh_session_nonce(request)
user.save()
# Ugly way of doing this, but Django requires the backend be set
user = authenticate(
username=user.username,
password=form.cleaned_data['password'],
)
# Only log the user in if there is no two-factor on the
# account.
if not Authenticator.objects.user_has_2fa(user):
login_user(request, user)
password_hash.delete()
capture_security_activity(
account=user,
type='password-changed',
actor=request.user,
ip_address=request.META['REMOTE_ADDR'],
send_email=True,
)
return login_redirect(request)
else:
form = ChangePasswordRecoverForm()
tpl = get_template('confirm', mode)
context = {'form': form}
return render_to_response(tpl, context, request)
def recover_confirm(request, user_id, hash, mode='recover'):
try:
password_hash = LostPasswordHash.objects.get(user=user_id, hash=hash)
if not password_hash.is_valid():
password_hash.delete()
raise LostPasswordHash.DoesNotExist
user = password_hash.user
except LostPasswordHash.DoesNotExist:
tpl = get_template('failure', mode)
return render_to_response(tpl, {}, request)
if request.method == 'POST':
form = ChangePasswordRecoverForm(request.POST)
if form.is_valid():
with transaction.atomic():
user.set_password(form.cleaned_data['password'])
user.refresh_session_nonce(request)
user.save()
# Ugly way of doing this, but Django requires the backend be set
user = authenticate(
username=user.username,
password=form.cleaned_data['password'],
)
login_user(request, user)
password_hash.delete()
capture_security_activity(
account=user,
type='password-changed',
actor=request.user,
ip_address=request.META['REMOTE_ADDR'],
send_email=True,
)
return login_redirect(request)
else:
form = ChangePasswordRecoverForm()
tpl = get_template('confirm', mode)
context = {'form': form}
return render_to_response(tpl, context, request)
def recover_confirm(request, user_id, hash, mode="recover"):
try:
password_hash = LostPasswordHash.objects.get(user=user_id, hash=hash)
if not password_hash.is_valid():
password_hash.delete()
raise LostPasswordHash.DoesNotExist
user = password_hash.user
except LostPasswordHash.DoesNotExist:
return render_to_response(get_template(mode, "failure"), {}, request)
if request.method == "POST":
form = ChangePasswordRecoverForm(request.POST)
if form.is_valid():
with transaction.atomic():
user.set_password(form.cleaned_data["password"])
user.refresh_session_nonce(request)
user.save()
# Ugly way of doing this, but Django requires the backend be set
user = authenticate(username=user.username,
password=form.cleaned_data["password"])
# Only log the user in if there is no two-factor on the
# account.
if not Authenticator.objects.user_has_2fa(user):
login_user(request, user)
password_hash.delete()
capture_security_activity(
account=user,
type="password-changed",
actor=request.user,
ip_address=request.META["REMOTE_ADDR"],
send_email=True,
)
return login_redirect(request)
else:
form = ChangePasswordRecoverForm()
return render_to_response(get_template(mode, "confirm"), {"form": form},
request)
def recover_confirm(request, user_id, hash):
try:
password_hash = LostPasswordHash.objects.get(user=user_id, hash=hash)
if not password_hash.is_valid():
password_hash.delete()
raise LostPasswordHash.DoesNotExist
user = password_hash.user
except LostPasswordHash.DoesNotExist:
context = {}
tpl = 'sentry/account/recover/failure.html'
else:
tpl = 'sentry/account/recover/confirm.html'
if request.method == 'POST':
form = ChangePasswordRecoverForm(request.POST)
if form.is_valid():
user.set_password(form.cleaned_data['password'])
user.refresh_session_nonce(request)
user.save()
# Ugly way of doing this, but Django requires the backend be set
user = authenticate(
username=user.username,
password=form.cleaned_data['password'],
)
login_user(request, user)
password_hash.delete()
return login_redirect(request)
else:
form = ChangePasswordRecoverForm()
context = {
'form': form,
}
return render_to_response(tpl, context, request)
