def _reset_password(self, url_hash): """Confirm a password change request, and let the user change their password. `url_hash` is a hash of the email address, with which we can look up the confuirmation record in the database. If `url_hash` doesn't exist, 404. If `url_hash` exists and the date is older than 24 hours, warn the user, offer to send a new confirmation, and delete the confirmation record. GET returns a form for setting their password, with their email address already shown. POST checks that the email address (in the session, not in the form) is part of a valid person record (again). If the record exists, then update the password, hashed. Report success to the user. Delete the confirmation record. If the record doesn't exist, throw an error, delete the confirmation record. """ c.conf_rec = PasswordResetConfirmation.find_by_url_hash(url_hash) now = datetime.datetime.now(c.conf_rec.timestamp.tzinfo) delta = now - c.conf_rec.timestamp if delta > datetime.timedelta(hours=24): # this confirmation record has expired meta.Session.delete(c.conf_rec) meta.Session.commit() return render('person/expired.mako') person = Person.find_by_email(c.conf_rec.email_address) if person is None: raise RuntimeError, "Person doesn't exist %s" % c.conf_rec.email_address # set the password person.password = self.form_result['password'] # also make sure the person is activated person.activated = True # delete the conf rec meta.Session.delete(c.conf_rec) meta.Session.commit() return render('person/success.mako')
def reset_password(self, url_hash): c.conf_rec = PasswordResetConfirmation.find_by_url_hash(url_hash) return render('person/reset.mako')