Пример #1
0
def login(request, user):
    """
    Persist a user id and a backend in the request. This way a user doesn't
    have to reauthenticate on every request. Note that data set during
    the anonymous session is retained when the user logs in.
    """
    session_auth_hash = ''
    if user is None:
        user = request.user
    if hasattr(user, 'get_session_auth_hash'):
        session_auth_hash = user.get_session_auth_hash()

    if SESSION_KEY in request.session:
        if _get_user_session_key(request) != user.pk or (
                session_auth_hash and
                request.session.get(HASH_SESSION_KEY) != session_auth_hash):
            # To avoid reusing another user's session, create a new, empty
            # session if the existing session corresponds to a different
            # authenticated user.
            request.session.flush()
    else:
        request.session.cycle_key()
    request.session[SESSION_KEY] = user._meta.pk.value_to_string(user)
    request.session[BACKEND_SESSION_KEY] = user.backend
    request.session[HASH_SESSION_KEY] = session_auth_hash
    if hasattr(request, 'user'):
        request.user = user
    rotate_token(request)
    user_logged_in.send(sender=user.__class__, request=request, user=user)
Пример #2
0
        def rate_wrap(request, *args, **kwargs):
            if request.method == 'POST':
                session = request.session
                now = time()
                k_timeout = '{}_timeout'.format(scope)
                k_attempts = '{}_attempts'.format(scope)
                # Reset expired counter
                if (k_timeout in session and
                        k_attempts in session and
                        session[k_timeout] <= now):
                    session[k_attempts] = 0

                # Get current attempts
                attempts = session.get(k_attempts, 0)

                # Did we hit the limit?
                if attempts >= get_rate_setting(scope, 'ATTEMPTS'):
                    # Rotate session token
                    rotate_token(request)
                    # Logout user
                    if request.user.is_authenticated:
                        logout(request)
                    messages.error(
                        request,
                        _('Too many attempts, you have been logged out!')
                    )
                    return redirect('login')

                session[k_attempts] = attempts + 1
                if k_timeout not in session:
                    window = get_rate_setting(scope, 'WINDOW')
                    session[k_timeout] = now + window

            return function(request, *args, **kwargs)
Пример #3
0
def collection(request):
    ren = None
    if request.method == "POST":
        curr.execute("delete from reader_user_token where token=(%s)", (get_token(request),))
        conn.commit()
        rotate_token(request)
    else:
        if request.method == "GET":
            curr.execute("select user_id from reader_user_token where token=(%s)", (get_token(request),))
            if curr.rowcount == 1:
                curr.execute("update reader_user_token set last_use=(select clock_timestamp()) where token=(%s)", (get_token(request),))
                conn.commit()
                curr.execute("""select user_email from reader_user where id = 
                                (select user_id from reader_user_token where token=(%s))""", (get_token(request),))
                content = {"email" : curr.fetchone()[0]}
                curr.execute("select id, title, url, favicon, is_active from reader_site where user_id = (select user_id from reader_user_token where token=(%s)) order by id", (get_token(request),))
                rows = curr.fetchall()
                rowarray = []
                for row in rows:
                    d = collections.OrderedDict()
                    d['id'] = row[0]
                    if row[1] is None:
                        d['title'] = ""
                    else:
                        d['title'] = row[1]
                    d['url'] = row[2]
                    dd = row[2].split('/')
                    d['favicon'] = row[3] or (('http://' + dd[0] if dd[0] != 'http:' else dd[0] + '//' +  dd[2]) + '/favicon.ico')
                    d['is_active'] = row[4]
                    rowarray.append(d)
                content.update({"sites" : rowarray})
                ren = render(request, 'collection.html', content)
    if ren is None:
        ren = redirect('index')
    return ren
Пример #4
0
 def get(self, request):
     logout(request)
     csrf.rotate_token(request)
     if request.META["HTTP_REFERER"].find("/panel/") > -1 or request.META["HTTP_REFERER"].find("/admin/") > -1 or \
             request.META["HTTP_REFERER"].find("/api/") > -1:
         return redirect("/")
     return redirect(request.META["HTTP_REFERER"])
Пример #5
0
def custom_login(request, user):
    session_auth_hash = ''
    if user is None:
        user = request.user
    if hasattr(user, 'get_session_auth_hash'):
        session_auth_hash = user.get_session_auth_hash()

    if SESSION_KEY in request.session:
        if _get_user_session_key(request) != user.pk or (
                session_auth_hash and
                request.session.get(HASH_SESSION_KEY) != session_auth_hash):
            # To avoid reusing another user's session, create a new, empty
            # session if the existing session corresponds to a different
            # authenticated user.
            request.session.flush()
    else:
        request.session.cycle_key()
    request.session[SESSION_KEY] = user._meta.pk.value_to_string(user)
    request.session[BACKEND_SESSION_KEY] = user.backend
    request.session[HASH_SESSION_KEY] = session_auth_hash
    if hasattr(request, 'user'):
        request.user = user

    try:
        from django.middleware.csrf import rotate_token
        rotate_token(request)
    except ImportError:
        pass
Пример #6
0
def user_remove(request):
    is_confirmation = 'remove_confirm' in request.session
    if is_confirmation:
        if request.method == 'POST':
            remove_user(request.user, request)
            rotate_token(request)
            logout(request)
            messages.success(
                request,
                _('Your account has been removed.')
            )
            return redirect('home')
        confirm_form = EmptyConfirmForm(request)

    elif request.method == 'POST':
        confirm_form = PasswordConfirmForm(request, request.POST)
        if confirm_form.is_valid():
            store_userid(request, remove=True)
            request.GET = {'email': request.user.email}
            return social_complete(request, 'email')
    else:
        confirm_form = PasswordConfirmForm(request)

    return render(
        request,
        'accounts/removal.html',
        {
            'confirm_form': confirm_form,
            'is_confirmation': is_confirmation,
        }
    )
Пример #7
0
	def client_login(self,request,backend=None):
		SESSION_KEY = 'client_id'
		BACKEND_SESSION_KEY = 'client_backend'
		HASH_SESSION_KEY = 'client_hash'
		REDIRECT_FIELD_NAME = 'next'
		session_auth_hash = ''
		if self is None:
			self = request.user
		if hasattr(self, 'get_session_auth_hash'):
			session_auth_hash = self.get_session_auth_hash()
		if SESSION_KEY in request.session:
			if self._meta.pk.to_python(request.session[SESSION_KEY]) != self.pk or (session_auth_hash and request.session.get(HASH_SESSION_KEY) != session_auth_hash):
				request.session.flush()
				# To avoid reusing another user's session, create a new, empty
				# session if the existing session corresponds to a different
				# authenticated user.
		else:
			request.session.cycle_key()

		request.session[SESSION_KEY] = self._meta.pk.value_to_string(self)
		request.session[BACKEND_SESSION_KEY] = backend
		request.session[HASH_SESSION_KEY] = session_auth_hash
		if hasattr(request, 'user'):
			# request.session['user']=self.
			request.user = self
		rotate_token(request)
		user_logged_in.send(sender=self.__class__, request=request, user=self)
Пример #8
0
	def doToken(self, request): # If CSRF token is lost
		from django.middleware.csrf import rotate_token
		rotate_token(request)
		o = request.GET["rel"]
		if not o:
			o = Main().url
		return self.resp("<script>location.href='%s';</script>" % (o))
Пример #9
0
    def test_django_csrf(self):
        request = self.factory.get('/browserid/csrf/')
        rotate_token(request)
        token = get_token(request)

        response = self.view.get(request)
        self.assertEqual(response.status_code, 200)
        self.assertEqual(response.content, six.b(token))
Пример #10
0
    def create(self, request):
        """
        Prove the user has a CSRF token (by just guaranteeing it).
        """

        if 'django.middleware.csrf.CsrfViewMiddleware' in settings.MIDDLEWARE_CLASSES:
            rotate_token(request)
        return response.Response()
Пример #11
0
def login(request, user,schema = None):
    """
    Persist a user id and a backend in the request. This way a user doesn't
    have to reauthenticate on every request. Note that data set during
    the anonymous session is retained when the user logs in.
    """

    if schema == None or not type(schema) in [str, unicode]:  # add schema
        import inspect
        fx = inspect.stack()
        error_detail = ""
        for x in fx:
            error_detail += "\n\t {0}, line {1}".format(fx[1], fx[2])
        raise (
            Exception(
                "can not call ''{1}'' without schema in '{0}'.\nDetail:\n{2}".format(
                    __file__, "login",
                    error_detail
                )))
    import threading
    ct = threading.currentThread()
    setattr(ct,"__current_schema__",schema)
    current_schema_in_request=schema
    if hasattr(request,"__current_schema__"):
        current_schema_in_request=request.__current_schema__

    if user is None:
        user = request.user
    # TODO: It would be nice to support different login methods, like signed cookies.
    if SESSION_KEY in request.session:
        if request.session[SESSION_KEY] != user.pk:
            # To avoid reusing another user's session, create a new, empty
            # session if the existing session corresponds to a different
            # authenticated user.
            request.session.flush(schema = request.user.schema)
    else:
        if request.user.is_anonymous() and not hasattr(request.user,"schema"):
            import threading
            request.session.cycle_key(schema=threading.current_thread().tenancy_code)
        else:
            request.session.cycle_key(schema=request.user.schema)
    request.session[SESSION_KEY] = user.pk
    request.session[BACKEND_SESSION_KEY] = user.backend
    if hasattr(request, 'user'):
        request.user = user
    rotate_token(request)
    user_logged_in.send(
        sender=user.__class__,
        request=request,
        user=user,
        schema=schema
    )
    setattr(user,"schema",schema)

    setattr(request,"__current_schema__",schema)
    delattr(ct, "__current_schema__")
    request._cached_user = user
Пример #12
0
def csrf_exempt_dummy(request, template_name=None):
    global money
    money = request.POST.get('money', money)
    message = 'your money is {money}'.format(money=money)
    rotate_token(request)
    if request.method == "POST":
        form = forms.UserForm(request.POST)
        if not form.is_valid():
            message = "your data get problem"
    return render(request, template_name, {'message': message})
Пример #13
0
    def dispatch(self, request, *args, **kwargs):
        if not self.user_pass_test(request):
            raise PermissionDenied
#         if not request.is_ajax():
#             raise PermissionDenied
        rotate_token(request)
        if request.method.lower() in self.http_method_names:
            handler = getattr(self, request.method.lower(), self.http_method_not_allowed)
        else:
            handler = self.http_method_not_allowed
        return handler(request, *args, **kwargs)
Пример #14
0
 def clean_password(self):
     cur_password = self.cleaned_data['password']
     if self.request.user.has_usable_password():
         valid = self.request.user.check_password(cur_password)
     else:
         valid = (cur_password == '')
     if not valid:
         rotate_token(self.request)
         raise forms.ValidationError(
             _('You have entered an invalid password.')
         )
Пример #15
0
def login(request, user):
    try:
        user_id = request.session[SESSION_KEY]
        if user.pk != user_id:
            #We're logging in as a different user, start a clean session
            request.session.flush()
    except KeyError:
        #Logging in a formerly-anonymous session, change the key but keep session data
        request.session.cycle_key()

    request.session[SESSION_KEY] = user.pk
    request.user = user
    rotate_token(request)
Пример #16
0
def login(request, user, expiration=True):
    """
    Persist token into database. Token is stored inside cookie therefore is not necessary 
    reauthenticate user for every request.
    """
    if user is None:
        user = request.user
    token = Token.objects.create(user=user, user_agent=request.META.get('HTTP_USER_AGENT'), expiration=expiration)
    if hasattr(request, 'user'):
        request.user = user
    request.token = token
    rotate_token(request)
    user_logged_in.send(sender=user.__class__, request=request, user=user)
Пример #17
0
 def rate_wrap(request, *args, **kwargs):
     attempts = request.session.get('auth_attempts', 0)
     if request.method == 'POST':
         if attempts >= settings.AUTH_MAX_ATTEMPTS:
             rotate_token(request)
             if request.user.is_authenticated:
                 logout(request)
             messages.error(
                 request,
                 _('Too many attempts, you have been logged out!')
             )
             return redirect('login')
         request.session['auth_attempts'] = attempts + 1
     return function(request, *args, **kwargs)
Пример #18
0
def login(request, user, backend=None):
    """
    Persist a user id and a backend in the request. This way a user doesn't
    have to reauthenticate on every request. Note that data set during
    the anonymous session is retained when the user logs in.
    """
    session_auth_hash = ''
    if user is None:
        user = request.user
    if hasattr(user, 'get_session_auth_hash'):
        session_auth_hash = user.get_session_auth_hash()

    # session已经保存了用户id,当然这里不能保证是当前用户的用户id,
    # 如果是当前用户id,密码也可能已经变了,这两种情况都彻底清空session
    # 这里的SESSION_KEY是session中user_id的键值
    if SESSION_KEY in request.session:
        if _get_user_session_key(request) != user.pk or (
                session_auth_hash and
                request.session.get(HASH_SESSION_KEY) != session_auth_hash):
            # To avoid reusing another user's session, create a new, empty
            # session if the existing session corresponds to a different
            # authenticated user.
            request.session.flush()
    else:
        #session没有保存用户id,也就是如果用户从匿名状态登录到非匿名,sessionid会刷新,但是session的其他数据不会丢失
        #cycle_key 维持session的数据不变,但是更改sessionid
        request.session.cycle_key()

    try:
        backend = backend or user.backend
    except AttributeError:
        backends = _get_backends(return_tuples=True)
        if len(backends) == 1:
            _, backend = backends[0]
        else:
            raise ValueError(
                'You have multiple authentication backends configured and '
                'therefore must provide the `backend` argument or set the '
                '`backend` attribute on the user.'
            )
    # 这里的SESSION_KEY和middleware的session_key不一样,这里是一个固定的键值,可以直接理解为'user_id',里面保存user_id
    # BACKEND_SESSION_KEY 保存session具体储存实现引擎如 'django.contrib.auth.backends.ModelBackend'
    # HASH_SESSION_KEY 保存加盐密码的hash,如果用户密码更换了,就是依靠这个字段判断
    request.session[SESSION_KEY] = user._meta.pk.value_to_string(user)
    request.session[BACKEND_SESSION_KEY] = backend
    request.session[HASH_SESSION_KEY] = session_auth_hash
    if hasattr(request, 'user'):
        request.user = user
    rotate_token(request)
    user_logged_in.send(sender=user.__class__, request=request, user=user)
Пример #19
0
    def get(self, request, *args, **kwargs):

        try:
            #rotate csrf token on login page
            rotate_token(request)
            if request.session['access_token']:
                if request.session['path_previous']:
                    return self.redirect(request.session['path_previous'])
                else:
                    return self.redirect('/dashboard/')
        except:
            # This localization feature has been done . The implementation of the same will be provided by Adaptive Team.
            # Currently we are hardcoding the session language to english
            request.session['django_language'] = 'en'
            return self.render_template(self.template_name)
Пример #20
0
def logout(request):
    """
    Removes the authenticated user's ID from the request, flushes their
    session data, and rotates the CSRF token.
    """
    # This function was lifted almost verbatim from Django's implementation of logout()
    user = getattr(request, 'user', None)
    if hasattr(user, 'is_authenticated') and not user.is_authenticated():
        user = None
    # Dispatch the signal before the user is logged out so the receivers have a chance to find out *who* logged out.
    user_logged_out.send(sender=user.__class__, request=request, user=user)
    request.session.flush()
    if hasattr(request, 'user'):
        request.user = AnonymousUser()
    csrf.rotate_token(request)
Пример #21
0
 def clean_password(self):
     cur_password = self.cleaned_data['password']
     if self.request.user.has_usable_password():
         valid = self.request.user.check_password(cur_password)
     else:
         valid = (cur_password == '')
     if valid:
         self.request.session['auth_attempts'] = 0
     else:
         attempts = self.request.session.get('auth_attempts', 0)
         self.request.session['auth_attempts'] = attempts + 1
         rotate_token(self.request)
         raise forms.ValidationError(
             _('You have entered an invalid password.')
         )
Пример #22
0
def login(request, token, send_signal=True):
    if AUTH_SESSION_KEY in request.session:
        if request.session[AUTH_SESSION_KEY] != token:
            request.session.flush()
    else:
        request.session.cycle_key()

    request.session[AUTH_SESSION_KEY] = token
    user = get_user(request, token)

    if hasattr(request, 'user'):
        request.user = user
        request.account = get_account_from_request(request)
    rotate_token(request)
    if send_signal:
        user_logged_in.send(sender=user.__class__, request=request, user=user)
Пример #23
0
    def post(self, request):
        bt_data = solitude.api().braintree.token.generate.post({})

        # Generate a new token for added security.
        csrf.rotate_token(request)

        # This view returns a CSRF token to the client so that it can
        # initialize API usage for anonymous payments (e.g. donations).
        # For added security, we could restrict the scope of that CSRF
        # tokens only to views relating to products that support
        # anonymous payments.

        return Response({
            'token': bt_data['token'],
            'csrf_token': csrf.get_token(request),
        })
Пример #24
0
def user_register(request):
    if request.user.is_authenticated():
        auth.logout(request)
    if request.method == 'POST':
        # form = CustomUserCreationForm(request.POST, request.FILES)
        form = CustomUserCreationForm(request.POST)
        if form.is_valid():

            # check if the image for the user is here
            try:
                profile_picture_old_path = NewProfilePicture.objects.get(csrftoken=request.META["CSRF_COOKIE"])
                new_user = form.save(commit=False)
                new_user.save()

                # put the picture to the right place and save it for the user
                basic_path = settings.MEDIA_ROOT + '/profile_pictures/'
                profile_picture_new_path = basic_path + str(new_user.id) + '.jpg'
                if not os.path.exists(basic_path):
                    os.makedirs(basic_path)
                shutil.copy2(str(profile_picture_old_path), profile_picture_new_path)

                # delete the old folder containing the pictures of that user
                shutil.rmtree(settings.MEDIA_ROOT + '/new_pictures/' + request.META["CSRF_COOKIE"])

                new_user.profile_picture = profile_picture_new_path
                new_user.save()
                default_group = UserGroup.objects.get(id=1)
                new_user.user_group.add(default_group)
                form.save_m2m()

            except NewProfilePicture.DoesNotExist:
                print 'There is no profile picture for this user'
                return render(request, 'BlueHive/user/register.html',
                              {'form': form, 'picturemissing': 'Please upload a profile picture!'})

            return HttpResponseRedirect('/user/register_success')
        else:
            # render_to_response('BlueHive/user/register.html', {'form': form})
            print form.errors  # To see the form errors in the console.
            return render(request, 'BlueHive/user/register.html', {'form': form})
    rotate_token(request)
    args = {}
    args.update(csrf(request))

    args['form'] = CustomUserCreationForm()

    return render_to_response('BlueHive/user/register.html', args)
Пример #25
0
 def rate_wrap(request, *args, **kwargs):
     if (request.method == 'POST' and
             not check_rate_limit(scope, request)):
         # Rotate session token
         rotate_token(request)
         # Logout user
         do_logout = request.user.is_authenticated
         if do_logout:
             logout(request)
         messages.error(
             request,
             render_to_string(
                 'ratelimit.html', {'do_logout': do_logout}
             )
         )
         return redirect('login')
     return function(request, *args, **kwargs)
Пример #26
0
def login(request, user, backend=None):
    """
    Persist a user id and a backend in the request. This way a user doesn't
    have to reauthenticate on every request. Note that data set during
    the anonymous session is retained when the user logs in.
    """
    session_auth_hash = ''
    if user is None:
        user = request.user
    if hasattr(user, 'get_session_auth_hash'):
        session_auth_hash = user.get_session_auth_hash()

    if SESSION_KEY in request.session:
        if _get_user_session_key(request) != user.pk or (
                session_auth_hash and
                not constant_time_compare(request.session.get(HASH_SESSION_KEY, ''), session_auth_hash)):
            # To avoid reusing another user's session, create a new, empty
            # session if the existing session corresponds to a different
            # authenticated user.
            request.session.flush()
    else:
        request.session.cycle_key()

    try:
        backend = backend or user.backend
    except AttributeError:
        backends = _get_backends(return_tuples=True)
        if len(backends) == 1:
            _, backend = backends[0]
        else:
            raise ValueError(
                'You have multiple authentication backends configured and '
                'therefore must provide the `backend` argument or set the '
                '`backend` attribute on the user.'
            )
    else:
        if not isinstance(backend, str):
            raise TypeError('backend must be a dotted import path string (got %r).' % backend)

    request.session[SESSION_KEY] = user._meta.pk.value_to_string(user)
    request.session[BACKEND_SESSION_KEY] = backend
    request.session[HASH_SESSION_KEY] = session_auth_hash
    if hasattr(request, 'user'):
        request.user = user
    rotate_token(request)
    user_logged_in.send(sender=user.__class__, request=request, user=user)
Пример #27
0
    def clean(self):
        username = self.cleaned_data.get('username')
        password = self.cleaned_data.get('password')

        if username and password:
            if not check_rate_limit(self.request):
                raise forms.ValidationError(
                    _('Too many authentication attempts!')
                )
            self.user_cache = authenticate(
                username=username,
                password=password
            )
            if self.user_cache is None:
                try:
                    notify_account_activity(
                        try_get_user(username),
                        self.request,
                        'failed-auth',
                        method='Password',
                        name=username,
                    )
                except User.DoesNotExist:
                    pass
                rotate_token(self.request)
                raise forms.ValidationError(
                    self.error_messages['invalid_login'],
                    code='invalid_login',
                )
            elif not self.user_cache.is_active:
                raise forms.ValidationError(
                    self.error_messages['inactive'],
                    code='inactive',
                )
            else:
                notify_account_activity(
                    self.user_cache,
                    self.request,
                    'login',
                    method='Password',
                    name=username,
                )
            reset_rate_limit(self.request)
        return self.cleaned_data
Пример #28
0
    def clean(self):
        username = self.cleaned_data.get('username')
        password = self.cleaned_data.get('password')

        if username and password:
            if not check_rate_limit('login', self.request):
                raise forms.ValidationError(
                    _('Too many authentication attempts from this location!')
                )
            self.user_cache = authenticate(
                self.request,
                username=username,
                password=password
            )
            if self.user_cache is None:
                for user in try_get_user(username, True):
                    notify_account_activity(
                        user,
                        self.request,
                        'failed-auth',
                        method=ugettext('Password'),
                        name=username,
                    )
                rotate_token(self.request)
                raise forms.ValidationError(
                    self.error_messages['invalid_login'],
                    code='invalid_login',
                )
            elif not self.user_cache.is_active:
                raise forms.ValidationError(
                    self.error_messages['inactive'],
                    code='inactive',
                )
            else:
                notify_account_activity(
                    self.user_cache,
                    self.request,
                    'login',
                    method=ugettext('Password'),
                    name=username,
                )
            reset_rate_limit('login', self.request)
        return self.cleaned_data
Пример #29
0
def driver_new(request):
    from td.forms import DriverForm
    from django.middleware.csrf import rotate_token

    if request.method == 'GET':
        form = DriverForm(new=True)

        context = {'form': form}
        return render(request, 'td/driver/driver_new.html', context)
    elif request.method == 'POST':
        rotate_token(request)
        form = DriverForm(request.POST, request.FILES, new=True)

        if form.is_valid():
            driver = form.save()
            messages.success(request, 'Водитель добавлен')
            return redirect(to='td:driver_info', did=driver.id)
        else:
            context = {'form': form}
            return render(request, 'td/driver/driver_new.html', context)
Пример #30
0
def department_new(request):
    from main.forms import DepartmentForm
    from django.middleware.csrf import rotate_token

    if request.method == 'GET':
        form = DepartmentForm()

        context = {'form': form}
        return render(request, 'main/department/department_new.html', context)
    elif request.method == 'POST':
        rotate_token(request)
        form = DepartmentForm(request.POST)

        if form.is_valid():
            dep = form.save()
            messages.success(request, 'Подразделение добавлено')
            return redirect(to='main:department_info', did=dep.id)
        else:
            context = {'form': form}
            return render(request, 'main/department/department_new.html', context)
Пример #31
0
    def clean(self):
        username = self.cleaned_data.get('username')
        password = self.cleaned_data.get('password')

        if username and password:
            if not check_rate_limit(self.request):
                raise forms.ValidationError(
                    _('Too many authentication attempts!'))
            self.user_cache = authenticate(username=username,
                                           password=password)
            if self.user_cache is None:
                try:
                    notify_account_activity(
                        try_get_user(username),
                        self.request,
                        'failed-auth',
                        method='Password',
                        name=username,
                    )
                except User.DoesNotExist:
                    pass
                rotate_token(self.request)
                raise forms.ValidationError(
                    self.error_messages['invalid_login'],
                    code='invalid_login',
                )
            elif not self.user_cache.is_active:
                raise forms.ValidationError(
                    self.error_messages['inactive'],
                    code='inactive',
                )
            else:
                notify_account_activity(
                    self.user_cache,
                    self.request,
                    'login',
                    method='Password',
                    name=username,
                )
            reset_rate_limit(self.request)
        return self.cleaned_data
Пример #32
0
    def clean(self):
        username = self.cleaned_data.get('username')
        password = self.cleaned_data.get('password')

        if username and password:
            if not check_rate_limit('login', self.request):
                raise forms.ValidationError(
                    _('Too many authentication attempts from this location!'))
            self.user_cache = authenticate(self.request,
                                           username=username,
                                           password=password)
            if self.user_cache is None:
                for user in try_get_user(username, True):
                    audit = AuditLog.objects.create(
                        user,
                        self.request,
                        'failed-auth',
                        method='Password',
                        name=username,
                    )
                    audit.check_rate_limit(self.request)
                rotate_token(self.request)
                raise forms.ValidationError(
                    self.error_messages['invalid_login'],
                    code='invalid_login',
                )
            elif not self.user_cache.is_active:
                raise forms.ValidationError(
                    self.error_messages['inactive'],
                    code='inactive',
                )
            else:
                AuditLog.objects.create(
                    self.user_cache,
                    self.request,
                    'login',
                    method='Password',
                    name=username,
                )
            reset_rate_limit('login', self.request)
        return self.cleaned_data
Пример #33
0
    def clean_captcha(self):
        """Validation for CAPTCHA."""
        if self.fresh or not self.captcha.validate(self.cleaned_data['captcha']):
            self.generate_captcha()
            rotate_token(self.request)
            raise forms.ValidationError(
                # Translators: Shown on wrong answer to the mathematics-based CAPTCHA
                _('That was not correct, please try again.')
            )

        if self.form.is_valid():
            mail = self.form.cleaned_data['email']
        else:
            mail = 'NONE'

        LOGGER.info(
            'Passed captcha for %s (%s = %s)',
            mail,
            self.captcha.question,
            self.cleaned_data['captcha']
        )
Пример #34
0
    def clean_captcha(self):
        """Validation for CAPTCHA."""
        if (self.fresh or
                not self.captcha.validate(self.cleaned_data['captcha'])):
            self.generate_captcha()
            rotate_token(self.request)
            raise forms.ValidationError(
                _('Please check your math and try again with new expression.')
            )

        if self.form.is_valid():
            mail = self.form.cleaned_data['email']
        else:
            mail = 'NONE'

        LOGGER.info(
            'Passed captcha for %s (%s = %s)',
            mail,
            self.captcha.question,
            self.cleaned_data['captcha']
        )
Пример #35
0
def login(request, user):
    """
    Persist a user id in the request. This way a user doesn't
    have to reauthenticate on every request. Note that data set during
    the anonymous session is retained when the user logs in.
    """
    if user is None:
        user = request.app_user
    if SESSION_KEY in request.session:
        if request.session[SESSION_KEY] != user.pk:
            # To avoid reusing another user's session, create a new, empty
            # session if the existing session corresponds to a different
            # authenticated user.
            request.session.flush()
    else:
        request.session.cycle_key()
    request.session[SESSION_KEY] = user.pk
    if hasattr(request, 'app_user'):
        request.app_user = user
    rotate_token(request)
    app_user_logged_in.send(sender=user.__class__, request=request, user=user)
Пример #36
0
def customer_logout(request):
    session_key = f'customer_auth_id:{request.organizer.pk}'
    hash_session_key = f'customer_auth_hash:{request.organizer.pk}'

    # Remove user session
    customer_id = request.session.pop(session_key, None)
    request.session.pop(hash_session_key, None)

    # Remove carts tied to this user
    carts = request.session.get('carts', {})
    for k, v in list(carts.items()):
        if v.get('customer') == customer_id:
            carts.pop(k)
    request.session['carts'] = carts

    # Cycle session key and CSRF token
    request.session.cycle_key()
    rotate_token(request)

    request.customer = None
    request._cached_customer = None
Пример #37
0
Файл: car.py Проект: Jokey90/aho
def car_new(request):
    from td.forms import CarNewForm
    from django.middleware.csrf import rotate_token

    if request.method == 'GET':
        form = CarNewForm()

        context = {'form': form}
        return render(request, 'td/car/car_new.html', context)
    elif request.method == 'POST':
        rotate_token(request)
        form = CarNewForm(request.POST)

        if form.is_valid():
            car = form.save()
            messages.success(request, 'Автомобиль добавлен')
            return redirect(to='td:car_list')
            #return redirect(to='td:car_info', cid=car.id)
        else:
            context = {'form': form}
            return render(request, 'td/car/car_new.html', context)
Пример #38
0
    def clean_captcha(self):
        """Validation for captcha."""
        if (self.fresh or
                not self.captcha.validate(self.cleaned_data['captcha'])):
            self.generate_captcha()
            rotate_token(self.request)
            raise forms.ValidationError(
                _('Please check your math and try again with new expression.')
            )

        if self.form.is_valid():
            mail = self.form.cleaned_data['email']
        else:
            mail = 'NONE'

        LOGGER.info(
            'Passed captcha for %s (%s = %s)',
            mail,
            self.captcha.question,
            self.cleaned_data['captcha']
        )
Пример #39
0
    def clean_captcha(self):
        """Validation for CAPTCHA."""
        if self.fresh or not self.captcha.validate(
                self.cleaned_data["captcha"]):
            self.generate_captcha()
            rotate_token(self.request)
            raise forms.ValidationError(
                # Translators: Shown on wrong answer to the mathematics-based CAPTCHA
                _("That was not correct, please try again."))

        if self.form.is_valid():
            mail = self.form.cleaned_data["email"]
        else:
            mail = "NONE"

        LOGGER.info(
            "Correct CAPTCHA for %s (%s = %s)",
            mail,
            self.captcha.question,
            self.cleaned_data["captcha"],
        )
Пример #40
0
Файл: sim.py Проект: Jokey90/aho
def sim_new(request):
    from django.middleware.csrf import rotate_token
    from mobile.forms import SimForm

    return_path = request.GET.get('return', None)
    sim_number = request.GET.get('num', None)
    if request.method == 'GET':
        form = SimForm(initial={'number': sim_number})
        context = {'form': form}
        return render(request, 'mobile/sim/new.html', context)
    elif request.method == 'POST':
        rotate_token(request)
        form = SimForm(request.POST)

        if form.is_valid():
            sim = form.save()
            messages.success(request, 'SIM-карта добавлена')
            return redirect(to='mobile:sim_list')
        else:
            context = {'form': form}
            return render(request, 'mobile/sim/new.html', context)
Пример #41
0
def xlogin(request, user, backend=None):
    """
    Persist a user id and a backend in the request. This way a user doesn't
    have to reauthenticate on every request. Note that data set during
    the anonymous session is retained when the user logs in.
    """
    session_auth_hash = ''
    if user is None:
        user = request.user
    if hasattr(user, 'get_session_auth_hash'):
        session_auth_hash = user.get_session_auth_hash()

    # Hack to init the session
    request.session._get_session()

    request.session.cycle_key()
    try:
        backend = backend or user.backend
    except AttributeError:
        backends = _get_backends(return_tuples=True)
        if len(backends) == 1:
            _, backend = backends[0]
        else:
            raise ValueError(
                'You have multiple authentication backends configured and '
                'therefore must provide the `backend` argument or set the '
                '`backend` attribute on the user.')

    logged_in_user = {
        SESSION_KEY: user._meta.pk.value_to_string(user),
        BACKEND_SESSION_KEY: backend,
        HASH_SESSION_KEY: session_auth_hash
    }

    request.session.setdefault(LOGGED_USERS_KEY, []).append(logged_in_user)
    request.session.update(logged_in_user)
    if hasattr(request, 'user'):
        request.user = user
    rotate_token(request)
    user_logged_in.send(sender=user.__class__, request=request, user=user)
Пример #42
0
def visitor_edit(request, vid):
    from td.forms import VisitorsParkingForm
    from td.models import VisitorsParking
    from django.middleware.csrf import rotate_token

    if request.method == 'GET':
        visitor = get_object_or_404(VisitorsParking, id=vid)
        form = VisitorsParkingForm(instance=visitor)
        context = {'form': form}
        return render(request, 'td/visitor/visitor_edit.html', context)
    elif request.method == 'POST':
        rotate_token(request)
        visitor = get_object_or_404(VisitorsParking, id=vid)
        form = VisitorsParkingForm(request.POST, instance=visitor)

        if form.is_valid():
            form.save()
            messages.success(request, 'Запись изменена')
            return redirect(to='td:visitor_info', vid=vid)
        else:
            context = {'form': form}
            return render(request, 'td/visitor/visitor_edit.html', context)
Пример #43
0
def accident_doc_new(request):
    from django.middleware.csrf import rotate_token
    from td.forms import AccidentDocForm
    from td.models import AccidentDoc

    return_path = request.GET.get('return', None)
    if request.method == 'GET':
        accident = request.GET.get('accident', None)
        form = AccidentDocForm(initial={'accident': accident})
        context = {'form': form}
        return render(request, 'td/accident_doc/accident_doc_new.html', context)
    elif request.method == 'POST':
        rotate_token(request)
        form = AccidentDocForm(request.POST, request.FILES)

        if form.is_valid():
            accident_doc = form.save()
            messages.success(request, 'Объект добавлен')
            return redirect(to='td:accident_info', aid=accident_doc.accident.id)
        else:
            context = {'form': form}
            return render(request, 'td/accident_doc/accident_doc_new.html', context)
Пример #44
0
def department_edit(request, did):
    from main.forms import DepartmentForm
    from main.models import Department
    from django.middleware.csrf import rotate_token

    if request.method == 'GET':
        dep = get_object_or_404(Department, id=did)
        form = DepartmentForm(instance=dep)
        context = {'form': form}
        return render(request, 'main/department/department_edit.html', context)
    elif request.method == 'POST':
        rotate_token(request)
        dep = get_object_or_404(Department, id=did)
        form = DepartmentForm(request.POST, instance=dep)

        if form.is_valid():
            form.save()
            messages.success(request, 'Подразделение изменено')
            return redirect(to='main:department_info', did=did)
        else:
            context = {'form': form}
            return render(request, 'main/department/department_edit.html', context)
Пример #45
0
def transition_edit(request, uid):
    from mobile.models import Transition
    from mobile.forms import TransitionForm

    transition = get_object_or_404(Transition, id=uid)
    if request.method == 'GET':
        form = TransitionForm(instance=transition,
                              initial={'date_field': transition.date})
        context = {'form': form}
        return render(request, 'mobile/transition/edit.html', context)
    elif request.method == 'POST':
        rotate_token(request)
        form = TransitionForm(request.POST, instance=transition)
        if form.is_valid():
            transition = form.save(commit=False)
            transition.date = form.cleaned_data['date_field']
            transition.save()
            messages.success(request, 'Изменения применены')
            return redirect(to='mobile:sim_transitions', uid=transition.sim.id)
        else:
            context = {'form': form}
            return render(request, 'mobile/transition/edit.html', context)
Пример #46
0
def expense_edit(request, eid):
    from td.forms import ExpenseForm
    from td.models import Expense
    from django.middleware.csrf import rotate_token

    if request.method == 'GET':
        expense = get_object_or_404(Expense, id=eid)
        form = ExpenseForm(instance=expense)
        context = {'form': form}
        return render(request, 'td/expense/expense_edit.html', context)
    elif request.method == 'POST':
        rotate_token(request)
        expense = get_object_or_404(Expense, id=eid)
        form = ExpenseForm(request.POST, instance=expense)

        if form.is_valid():
            form.save()
            messages.success(request, 'Запись изменена')
            return redirect(to='td:expense_info', eid=eid)
        else:
            context = {'form': form}
            return render(request, 'td/expense/expense_edit.html', context)
Пример #47
0
def parking_edit(request, pid):
    from td.forms import ParkingForm
    from td.models import Parking
    from django.middleware.csrf import rotate_token

    if request.method == 'GET':
        parking = get_object_or_404(Parking, id=pid)
        form = ParkingForm(instance=parking)
        context = {'form': form}
        return render(request, 'td/parking/parking_edit.html', context)
    elif request.method == 'POST':
        rotate_token(request)
        parking = get_object_or_404(Parking, id=pid)
        form = ParkingForm(request.POST, instance=parking)

        if form.is_valid():
            form.save()
            messages.success(request, 'Запись изменена')
            return redirect(to='td:parking_info', pid=pid)
        else:
            context = {'form': form}
            return render(request, 'td/parking/parking_edit.html', context)
Пример #48
0
def login(request, user):
    """
    Persist a user id and a backend in the request. This way a user doesn't
    have to reauthenticate on every request. Note that data set during
    the anonymous session is retained when the user logs in.
    """
    if user is None:
        user = request.user
    # TODO: It would be nice to support different login methods, like signed cookies.
    if SESSION_KEY in request.session:
        if request.session[SESSION_KEY] != user.pk:
            # To avoid reusing another user's session, create a new, empty
            # session if the existing session corresponds to a different
            # authenticated user.
            request.session.flush()
    else:
        request.session.cycle_key()
    request.session[SESSION_KEY] = user.pk
    request.session[BACKEND_SESSION_KEY] = user.backend
    if hasattr(request, 'user'):
        request.user = user
    rotate_token(request)
    user_logged_in.send(sender=user.__class__, request=request, user=user)
Пример #49
0
def test_handle_backend_exception():
    rf = APIRequestFactory(enforce_csrf_checks=True)
    params = {
        'postcode': '3531 WR',
        'number': '1',
    }
    request = rf.post('/', data=params, format='json')
    csrf.rotate_token(request)
    request.COOKIES['csrftoken'] = request.META['CSRF_COOKIE']
    request.META['HTTP_X_CSRFTOKEN'] = request.META['CSRF_COOKIE']

    def throw_error(postcode, number):
        raise PostcodeLookupException()

    views.PostcodeLookupView.backend = stub(lookup=throw_error)

    view = views.PostcodeLookupView.as_view()

    response = view(request)
    assert response.status_code == 400, response.rendered_content
    assert response.data == {
        'error': 'No valid response received from backend'
    }
Пример #50
0
def login(request, user):
    """
    Persist a user id and a backend in the request. This way a user doesn't
    have to reauthenticate on every request. Note that data set during
    the anonymous session is retained when the user logs in.

    将一个用户的ID和认证后端持久化.之前的session会保持.

    """
    session_auth_hash = ''
    if user is None:
        user = request.user
    if hasattr(user, 'get_session_auth_hash'):
        session_auth_hash = user.get_session_auth_hash()

    if SESSION_KEY in request.session:
        # 必须session的主键和user的pk一致,并且保存的hash和计算出来的hash一致,否则清空session
        if _get_user_session_key(request) != user.pk or (
                session_auth_hash and
                request.session.get(HASH_SESSION_KEY) != session_auth_hash):
            # To avoid reusing another user's session, create a new, empty
            # session if the existing session corresponds to a different
            # authenticated user.
            request.session.flush()
    # 创建session.使用之前的key
    else:
        request.session.cycle_key()

    # 保存了ID,后端,HASH,以便下次使用ID后端计算判断HASH是否有效
    request.session[SESSION_KEY] = user._meta.pk.value_to_string(user)
    request.session[BACKEND_SESSION_KEY] = user.backend
    request.session[HASH_SESSION_KEY] = session_auth_hash
    if hasattr(request, 'user'):
        request.user = user
    # 调用的CSRF的rotate_token,在登录之后使用新的csrf_cookie.TODO:如果使用旧的会怎样
    rotate_token(request)
    user_logged_in.send(sender=user.__class__, request=request, user=user)
Пример #51
0
def jwtlogin(request, user):
    """
    Persist a user id and a backend in the request. This way a user doesn't
    have to reauthenticate on every request. Note that data set during
    the anonymous session is retained when the user logs in.
    """
    session_auth_hash = ''
    if user is None:
        user = request.user
    if hasattr(user, 'get_session_auth_hash'):
        session_auth_hash = user.get_session_auth_hash()

    if SESSION_KEY in request.session:
        if request.session[SESSION_KEY] != user.pk or (
                session_auth_hash and
                request.session.get(HASH_SESSION_KEY) != session_auth_hash):
            # To avoid reusing another user's session, create a new, empty
            # session if the existing session corresponds to a different
            # authenticated user.
            request.session.flush()
    else:
        request.session.cycle_key()
    request.session[SESSION_KEY] = user.pk
    request.session[BACKEND_SESSION_KEY] = user.backend
    request.session[HASH_SESSION_KEY] = session_auth_hash
    if hasattr(request, 'user'):
        request.user = user
    monitorHook.loginMonitor(user)
    rotate_token(request)
    response_data = jwt_response_payload_handler(rotate_token, user, request)
    if api_settings.JWT_AUTH_COOKIE:
        expiration = (datetime.utcnow() +
                      api_settings.JWT_EXPIRATION_DELTA)
        response_data.set_cookie(api_settings.JWT_AUTH_COOKIE,
                                 rotate_token,
                                 expires=expiration,
                                 httponly=True)
Пример #52
0
def profile(request):
    user = request.user
    data = {
        'id': user.id,
        'user': user.username,
        'authenticated': user.is_authenticated(),
        'admin': user.is_staff,
    }



    if data['authenticated']:
        rotate_token(request)
        data['csrf_token'] = get_token(request)

    try:
        data['first_name'] = user.first_name
        data['last_name'] = user.last_name
        data['extra'] = user.socialaccount_set.extra_data
    except:
        pass

    response = HttpResponse(json.dumps(data), content_type="application/json")
    return response
Пример #53
0
def json_login(request, redirect_field_name=REDIRECT_FIELD_NAME):
    redirect_to = request.POST.get(redirect_field_name,
                                   request.GET.get(redirect_field_name, '/'))
    form = TicketAuthenticationForm(request, data=request.POST)
    if form.is_valid():
        #if not is_safe_url(url=redirect_to, host=request.get_host()):
        #redirect_to = resolve_url(settings.LOGIN_REDIRECT_URL)
        rotate_token(request)
        data = {
            'code': 0,
            'msg': u'成功',
            'ticket': form.cleaned_data['ticket'],
            'redirect_to': redirect_to,
        }
        return json_response(data)
        # response.set_cookie('ticket', form.cleaned_data['ticket'])
        # response = HttpResponseRedirect(redirect_to)
        # return response
    else:
        data = {
            'code': 1,
            'msg': ErrorDic2str(form.errors),
        }
        return json_response(data)
Пример #54
0
def accident_doc_edit(request, did):
    from td.models import AccidentDoc
    from td.forms import AccidentDocForm
    from django.middleware.csrf import rotate_token

    return_path = request.GET.get('return', None)
    doc = get_object_or_404(AccidentDoc, id=did)

    if request.method == 'GET':
        form = AccidentDocForm(instance=doc)
        context = {'form': form}
        return render(request, 'td/accident_doc/accident_doc_edit.html', context)

    elif request.method == 'POST':
        rotate_token(request)
        form = AccidentDocForm(request.POST, request.FILES, instance=doc)

        if form.is_valid():
            form.save()
            messages.success(request, 'Объект изменен')
            return redirect(to='td:accident_info', aid=doc.accident.id)
        else:
            context = {'form': form}
            return render(request, 'td/accident_doc/accident_doc_edit.html', context)
Пример #55
0
def mileage_edit(request, mid):
    from td.models import Mileage
    from td.forms import MileageForm
    from django.middleware.csrf import rotate_token

    return_path = request.GET.get('return', None)
    if request.method == 'GET':
        mileage = get_object_or_404(Mileage, id=mid)
        form = MileageForm(instance=mileage)
        context = {'form': form}
        return render(request, 'td/mileage/mileage_edit.html', context)
    elif request.method == 'POST':
        rotate_token(request)
        mileage = get_object_or_404(Mileage, id=mid)
        form = MileageForm(request.POST, instance=mileage)

        if form.is_valid():
            if Mileage.objects.filter(
                    year=form.cleaned_data['year'],
                    month=form.cleaned_data['month'],
                    car=form.cleaned_data['car']).exclude(id=mid).count() > 0:
                messages.warning(
                    request,
                    'Невозмоно добавить два значения пробега за один период')
                context = {'form': form}
                return render(request, 'td/mileage/mileage_edit.html', context)
            else:
                form.save()
                messages.success(request, 'Пробег изменен')
                if return_path == 'car_mileage':
                    return redirect(to='td:car_mileage', cid=mileage.car.id)
                else:
                    return redirect(to='td:mileage_info', mid=mid)
        else:
            context = {'form': form}
            return render(request, 'td/mileage/mileage_edit.html', context)
Пример #56
0
def login(request, user, expiration=True, auth_slug=None, related_objs=None, backend=None, allowed_cookie=True,
          allowed_header=True):
    """
    Persist token into database. Token is stored inside cookie therefore is not necessary
    reauthenticate user for every request.
    """
    from auth_token.models import Token
    related_objs = related_objs if related_objs is not None else ()

    if user is None:
        user = request.user

    try:
        backend = backend or user.backend
    except AttributeError:
        backends = _get_backends(return_tuples=True)
        if len(backends) == 1:
            _, backend = backends[0]
        else:
            raise ValueError(
                'You have multiple authentication backends configured and '
                'therefore must provide the `backend` argument or set the '
                '`backend` attribute on the user.'
            )

    token = Token.objects.create(user=user, user_agent=request.META.get('HTTP_USER_AGENT', '')[:256],
                                 expiration=expiration, auth_slug=auth_slug, ip=get_ip(request),
                                 backend=backend, allowed_cookie=allowed_cookie, allowed_header=allowed_header)

    for related_obj in related_objs:
        token.related_objects.create(content_object=related_obj)
    if hasattr(request, 'user'):
        request.user = user
    request.token = token
    rotate_token(request)
    user_logged_in.send(sender=user.__class__, request=request, user=user)
Пример #57
0
    def clean(self):
        username = self.cleaned_data.get("username")
        password = self.cleaned_data.get("password")

        if username and password:
            if not check_rate_limit("login", self.request):
                raise forms.ValidationError(
                    _("Too many authentication attempts from this location.")
                )
            self.user_cache = authenticate(
                self.request, username=username, password=password
            )
            if self.user_cache is None:
                for user in try_get_user(username, True):
                    audit = AuditLog.objects.create(
                        user,
                        self.request,
                        "failed-auth",
                        method="password",
                        name=username,
                    )
                    audit.check_rate_limit(self.request)
                rotate_token(self.request)
                raise forms.ValidationError(
                    self.error_messages["invalid_login"], code="invalid_login"
                )
            if not self.user_cache.is_active:
                raise forms.ValidationError(
                    self.error_messages["inactive"], code="inactive"
                )
            AuditLog.objects.create(
                self.user_cache, self.request, "login", method="password", name=username
            )
            adjust_session_expiry(self.request)
            reset_rate_limit("login", self.request)
        return self.cleaned_data
Пример #58
0
def user_remove(request):
    is_confirmation = 'remove_confirm' in request.session
    if is_confirmation:
        if request.method == 'POST':
            remove_user(request.user, request)
            rotate_token(request)
            logout(request)
            messages.success(request, _('Your account has been removed.'))
            return redirect('home')
        confirm_form = EmptyConfirmForm(request)

    elif request.method == 'POST':
        confirm_form = PasswordConfirmForm(request, request.POST)
        if confirm_form.is_valid():
            store_userid(request, remove=True)
            request.GET = {'email': request.user.email}
            return social_complete(request, 'email')
    else:
        confirm_form = PasswordConfirmForm(request)

    return render(request, 'accounts/removal.html', {
        'confirm_form': confirm_form,
        'is_confirmation': is_confirmation,
    })
Пример #59
0
def login_view(request: HttpRequest) -> HttpResponse:
    """Login user from username/password and get information about
    the authorized orgs for this user. If the user is already logged
    in return this information. If the user has only a session cookie
    and no csrf cookie set a csrf cookie

    :param request: the post request
    :type request: HttpRequest
    :return: the json response
    :rtype: HttpResponse
    """
    print("Login view", request.method)
    if request.method == "POST":
        if request.user.is_authenticated:  # type: ignore
            csrf: Union[str,
                        None] = request.COOKIES.get(settings.CSRF_COOKIE_NAME,
                                                    None)
            # print("Csrf:", csrf)
            # reset the csrf token cookie if needed
            if csrf is None:
                print(
                    "Renewing csrf token because user does not have any csrf cookie"
                )
                rotate_token(request)
            return JsonResponse({"ok": True})
        # print("POST", request.body)
        json_data = json.loads(request.body)
        print("LOGIN", json_data)
        username = json_data["username"]
        password = json_data["password"]
        print("Authenticate", username, password)
        user = authenticate(username=username, password=password)
        if user is not None:
            login(request, user)
            return JsonResponse({"ok": True})
    return HttpResponseForbidden()
Пример #60
0
def bill_file_edit(request, uid):
    from mobile.models import BillFile, Bill
    from mobile.forms import BillFileEditForm
    from datetime import date

    bill_file = get_object_or_404(BillFile, id=uid)
    if request.method == 'GET':
        form = BillFileEditForm(instance=bill_file)
        context = {'form': form}
        return render(request, 'mobile/bill/file_edit.html', context)
    elif request.method == 'POST':
        rotate_token(request)
        form = BillFileEditForm(request.POST, instance=bill_file)
        if form.is_valid():
            bill_file = form.save()
            for bill in bill_file.bill_set.all():
                if bill.contract.mts:
                    bill.period = date(bill_file.year, bill_file.month, 1)
                    bill.save()
            messages.success(request, 'Изменения применены')
            return redirect(to='mobile:bill_file_info', uid=bill_file.id)
        else:
            context = {'form': form}
            return render(request, 'mobile/bill/file_edit.html', context)