def reset_password(request):
session = DBSession()
matchdict = request.matchdict
token = matchdict["token"]
forgotPassword = ForgotPassword.getByToken(token)
if (not forgotPassword):
request.session.flash(_("Reset password token not found in database."))
return HTTPFound(location = route_url("home", request))
if (request.logged_in):
request.session.flash(_("You are already logged in and therefore cannot reset a password."))
return HTTPFound(location = route_url("home", request))
login_url = route_url('login', request)
referrer = request.url
if (referrer == login_url):
referrer = '/' # never use the login form itself as came_from
came_from = request.params.get('came_from', referrer)
user = User.getByID(forgotPassword.user.id)
fs = None
if 'submitted' in request.params:
fs = ResetPasswordFieldSet().bind(User, session = session, data = request.params or None)
valid = fs.validate()
if valid:
user = User.getByID(request.params["user_id"])
password = bcrypt.hashpw(fs.password1.value, bcrypt.gensalt())
user.password = password
user.user_type = User.NORMAL
session.add(user)
session.flush()
session.query(ForgotPassword).filter(ForgotPassword.user_id == user.id).delete()
request.session["username"] = user.username
headers = remember(request, user.id)
request.session.flash(_("You have successfully updated your password!"))
return HTTPFound(location = route_url("home", request), headers = headers)
if (fs is None):
fs = ResetPasswordFieldSet().bind(User, session = session)
form = fs.render()
return dict(form = form, user_id = user.id, title = _("Forgot your password?"))
