def _get_user(self, uidb36): User = get_user_model() try: pk = url_str_to_user_pk(uidb36) return User.objects.get(pk=pk) except (ValueError, User.DoesNotExist): return None
def _get_user(self, uidb36): try: pk = url_str_to_user_pk(uidb36) return User.objects.get(pk=pk) except (ValueError, User.DoesNotExist): return None
def validate_user(self, *args, **kwargs): if self.request.POST.get('uid', None): try: uid = url_str_to_user_pk(self.request.POST['uid']) user = User.objects.get(pk=uid) except (User.DoesNotExist, ValueError, ValidationError): raise Http404() self.validate_membership(user) return user
def login_on_confirm(self, confirmation): user_pk = None user_pk_str = get_adapter(self.request).unstash_user(self.request) if user_pk_str: user_pk = url_str_to_user_pk(user_pk_str) user = confirmation.email_address.user if user_pk == user.pk and self.request.user.is_anonymous: return perform_login(self.request, user, app_settings.EmailVerificationMethod.NONE, redirect_url=self.get_redirect_url) return None
def validate(self, attrs): self._errors = {} # Decode the uidb64 to uid to get User object try: uid = url_str_to_user_pk(attrs['uid']) self.user = User._default_manager.get(pk=uid) except (TypeError, ValueError, OverflowError, User.DoesNotExist): raise ValidationError({'uid': ['Invalid value']}) self.custom_validation(attrs) # Construct SetPasswordForm instance self.set_password_form = self.set_password_form_class(user=self.user, data=attrs) if not self.set_password_form.is_valid(): raise ValidationError(self.set_password_form.errors) if not default_token_generator.check_token(self.user, attrs['token']): raise ValidationError({'token': ['Invalid value']}) return attrs
def login_on_confirm(self, confirmation): """Login on confrim.""" user_pk = None user_pk_str = get_adapter(self.request).unstash_user(self.request) if user_pk_str: user_pk = url_str_to_user_pk(user_pk_str) user = confirmation.email_address.user if user_pk == user.pk and self.request.user.is_anonymous(): return perform_login( self.request, user, app_settings.EmailVerificationMethod.NONE, # passed as callable, as this method # depends on the authenticated state redirect_url=self.get_redirect_url) return None
def login_on_confirm(self, confirmation): """ Simply logging in the user may become a security issue. If you do not take proper care (e.g. don't purge used email confirmations), a malicious person that got hold of the link will be able to login over and over again and the user is unable to do anything about it. Even restoring their own mailbox security will not help, as the links will still work. For password reset this is different, this mechanism works only as long as the attacker has access to the mailbox. If they no longer has access they cannot issue a password request and intercept it. Furthermore, all places where the links are listed (log files, but even Google Analytics) all of a sudden need to be secured. Purging the email confirmation once confirmed changes the behavior -- users will not be able to repeatedly confirm (in case they forgot that they already clicked the mail). All in all, opted for storing the user that is in the process of signing up in the session to avoid all of the above. This may not 100% work in case the user closes the browser (and the session gets lost), but at least we're secure. """ user_pk = None user_pk_str = get_adapter(self.request).unstash_user(self.request) if user_pk_str: user_pk = url_str_to_user_pk(user_pk_str) user = confirmation.email_address.user if user_pk == user.pk and self.request.user.is_anonymous: return perform_login(self.request, user, app_settings.EmailVerificationMethod.NONE, # passed as callable, as this method # depends on the authenticated state redirect_url=self.get_redirect_url) return None
def test_url_str_to_pk_identifies_UUID_as_stringlike(self): with patch('allauth.account.utils.get_user_model') as mocked_gum: mocked_gum.return_value = UUIDUser self.assertEqual(url_str_to_user_pk(self.user_id), uuid.UUID(self.user_id))