mirror/bugsink
1
0
Fork 0
mirror of https://github.com/bugsink/bugsink.git synced 2026-02-08 23:08:36 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
0.1.0
bugsink/users/views.py
Klaas van Schelven c2d2e71682 Fix link in reset_password
2024-06-06 10:37:59 +02:00

169 lines
6.5 KiB
Python
Raw Permalink Blame History

from datetime import timedelta
from django.contrib.auth import login
from django.shortcuts import render, redirect, reverse
from django.contrib.auth import get_user_model
from django.http import Http404
from django.utils import timezone
from bugsink.app_settings import get_settings, CB_ANYBODY
from .forms import UserCreationForm, ResendConfirmationForm, RequestPasswordResetForm, SetPasswordForm
from .models import EmailVerification
from .tasks import send_confirm_email, send_reset_email
UserModel = get_user_model()
def signup(request):
if get_settings().USER_REGISTRATION != CB_ANYBODY:
raise Http404("User self-registration is not allowed.")
if request.method == 'POST':
form = UserCreationForm(request.POST)
if form.is_valid():
if get_settings().USER_REGISTRATION_VERIFY_EMAIL:
user = form.save(commit=False)
user.is_active = False
user.save()
verification = EmailVerification.objects.create(user=user, email=user.username)
send_confirm_email.delay(user.username, verification.token)
return render(request, "users/confirm_email_sent.html", {"email": user.username})
user = form.save()
login(request, user)
return redirect('home')
else:
form = UserCreationForm()
return render(request, "signup.html", {"form": form})
def confirm_email(request, token=None):
# clean up expired tokens; doing this on every request is just fine, it saves us from having to run a cron job-like
EmailVerification.objects.filter(
created_at__lt=timezone.now() - timedelta(get_settings().USER_REGISTRATION_VERIFY_EMAIL_EXPIRY)).delete()
try:
verification = EmailVerification.objects.get(token=token)
except EmailVerification.DoesNotExist:
# good enough (though a special page might be prettier)
raise Http404("Invalid or expired token")
if request.method == 'POST':
# We insist on POST requests to do the actual confirmation (at the cost of an extra click). See:
# https://softwareengineering.stackexchange.com/a/422579/168778
# there's no form, the'res just a button to generate the post request
verification.user.is_active = True
verification.user.save()
verification.delete()
# this mirrors the approach of what we do in password-resetting; and rightfully so because the in both cases
# access to email is assumed to be sufficient proof of identity.
login(request, verification.user)
return redirect('home')
return render(request, "users/confirm_email.html")
def resend_confirmation(request):
if request.method == 'POST':
form = ResendConfirmationForm(request.POST)
if form.is_valid():
user = UserModel.objects.get(username=form.cleaned_data['email'])
if user.is_active:
raise Http404("This email is already confirmed.")
verification = EmailVerification.objects.create(user=user, email=user.username)
send_confirm_email.delay(user.username, verification.token)
return render(request, "users/confirm_email_sent.html", {"email": user.username})
else:
form = ResendConfirmationForm(data=request.GET)
return render(request, "users/resend_confirmation.html", {"form": form})
def request_reset_password(request):
# something like this exists in Django too; copy-paste-modify from the other views was more simple than thoroughly
# understanding the Django implementation and hooking into it.
if request.method == 'POST':
form = RequestPasswordResetForm(request.POST)
if form.is_valid():
user = UserModel.objects.get(username=form.cleaned_data['email'])
# if not user.is_active no separate branch for this: password-reset implies email-confirmation
# we reuse the EmailVerification model for password resets; security wise it doesn't matter, because the
# visiting any link with the token implies control over the email account; and we have defined that such
# control implies both verification and password-resetting.
verification = EmailVerification.objects.create(user=user, email=user.username)
send_reset_email.delay(user.username, verification.token)
return render(request, "users/reset_password_email_sent.html", {"email": user.username})
else:
form = RequestPasswordResetForm()
return render(request, "users/request_reset_password.html", {"form": form})
def reset_password(request, token=None):
# alternative name: set_password (because this one also works for initial setting of a password)
# clean up expired tokens; doing this on every request is just fine, it saves us from having to run a cron
# job-like thing
EmailVerification.objects.filter(
created_at__lt=timezone.now() - timedelta(get_settings().USER_REGISTRATION_VERIFY_EMAIL_EXPIRY)).delete()
try:
verification = EmailVerification.objects.get(token=token)
except EmailVerification.DoesNotExist:
# good enough (though a special page might be prettier)
raise Http404("Invalid or expired token")
user = verification.user
next = request.POST.get("next", request.GET.get("next", reverse("home")))
if request.method == 'POST':
form = SetPasswordForm(user, request.POST)
if form.is_valid():
user.is_active = True # password-reset implies email-confirmation
user.set_password(form.cleaned_data['new_password1'])
user.save()
verification.delete()
login(request, verification.user)
return redirect(next)
else:
form = SetPasswordForm(user)
return render(request, "users/reset_password.html", {"form": form, "next": next})
DEBUG_CONTEXTS = {
"confirm_email": {
"site_title": get_settings().SITE_TITLE,
"base_url": get_settings().BASE_URL + "/",
"confirm_url": "http://example.com/confirm-email/1234567890abcdef", # nonsense to avoid circular import
},
"reset_password_email": {
"site_title": get_settings().SITE_TITLE,
"base_url": get_settings().BASE_URL + "/",
"reset_url": "http://example.com/reset-password/1234567890abcdef", # nonsense to avoid circular import
},
}
def debug_email(request, template_name):
return render(request, 'mails/' + template_name + ".html", DEBUG_CONTEXTS[template_name])
Reference in New Issue View Git Blame Copy Permalink