def reset_password():
token = request.form.get('token')
password = request.form.get('password')
if not password:
flash(_('Please enter a new password'))
return render_template('reset_password.html', token=token)
try:
email = signer.unsign(base64_decode(token),
max_age=RESET_PASSWORD_TIMEOUT)
except SignatureExpired as e:
return render_template('error.html', error=e)
hash = pwd_context.encrypt(password)
db['users'].update(dict(email=email, hash=hash), ['email'])
return render_template('reset_password_success.html')
def signup():
nonce = request.form.get('nonce')
name = request.form.get('name')
password = request.form.get('password')
if not name or not password or not nonce:
flash(_('Please enter all fields'))
return redirect_back()
email = request.form.get('email')
coppa_email = False
if not email:
# Underage users
email = 'coppa-user+{}@socialhelp.sugarlabs.org'.format(uuid4())
coppa_email = True
if db['users'].find_one(name=name) or db['users'].find_one(email=email):
flash(_('Username or email already in use'))
return redirect_back()
hash = pwd_context.encrypt(password)
info = dict(name=name, email=email, hash=hash, coppa_email=coppa_email)
info['id'] = db['users'].insert(info)
return user_ok(info)
def create(email, password):
""" This function creates a new user if possible.
First, we check if there is a user that exists with the provided email.
Otherwise, we encrypt the password with passlib and
store the result as the 'hash' property in the new user profile. Most of
the properties of the User object are random junk left over from old
TweetTracker.
:param email: The email of the new user
:param password: The password to use for the new user
:return: The new user's Object_Id or None if failure
"""
# We REALLY shouldn't be using MD5.
md5_hash = hashlib.md5(password).hexdigest()
hashed_password = pwd_context.encrypt(password)
old_user = users.find_one({'roleID': {'$exists': True}, 'username': email})
if old_user is not None:
# Worst security flaw ever
# users.update({'email': email}, {
# '$unset': {
# 'roleID': ''
# },
# 'password': md5_hash,
# 'hash': hashed_password
# })
# instead of allowing people to hijack accounts, return an error if the usor already exists
return None
else:
# choose the next available user ID
from pymongo import DESCENDING
next_id = -99
maxuser = list(
users.find({}, {
"id": 1
}).sort("id", DESCENDING).limit(1))
if len(maxuser) > 0:
next_id = maxuser[0]['id'] + 1
else:
next_id = 1
try:
user_obj = {
"creationtime": int(time.time()) * 1000,
"last_login": int(time.time()) * 1000,
"username": email,
"password": md5_hash,
"id": next_id,
"logins": 0,
"roleID": 1,
"exportrights": 1,
"description": "auto generated user",
"realname": "",
"phone": "",
"email": "",
"location": "",
"numoftweets": 50000
}
except Exception as e:
print e
return users.insert(user_obj)
