mirror of
https://github.com/django/django.git
synced 2025-06-05 11:39:13 +00:00
Refs #17209 -- Fixed token verification for PasswordResetConfirmView POST requests.
This commit is contained in:
parent
55adfc0760
commit
51eaff6d35
@ -441,6 +441,15 @@ class PasswordResetConfirmView(PasswordContextMixin, FormView):
|
|||||||
@method_decorator(never_cache)
|
@method_decorator(never_cache)
|
||||||
def dispatch(self, *args, **kwargs):
|
def dispatch(self, *args, **kwargs):
|
||||||
assert 'uidb64' in kwargs and 'token' in kwargs
|
assert 'uidb64' in kwargs and 'token' in kwargs
|
||||||
|
|
||||||
|
self.validlink = False
|
||||||
|
self.user = self.get_user(kwargs['uidb64'])
|
||||||
|
|
||||||
|
if self.user is not None and self.token_generator.check_token(self.user, kwargs['token']):
|
||||||
|
self.validlink = True
|
||||||
|
else:
|
||||||
|
return self.render_to_response(self.get_context_data())
|
||||||
|
|
||||||
return super(PasswordResetConfirmView, self).dispatch(*args, **kwargs)
|
return super(PasswordResetConfirmView, self).dispatch(*args, **kwargs)
|
||||||
|
|
||||||
def get_user(self, uidb64):
|
def get_user(self, uidb64):
|
||||||
@ -455,7 +464,7 @@ class PasswordResetConfirmView(PasswordContextMixin, FormView):
|
|||||||
|
|
||||||
def get_form_kwargs(self):
|
def get_form_kwargs(self):
|
||||||
kwargs = super(PasswordResetConfirmView, self).get_form_kwargs()
|
kwargs = super(PasswordResetConfirmView, self).get_form_kwargs()
|
||||||
kwargs['user'] = self.get_user(self.kwargs['uidb64'])
|
kwargs['user'] = self.user
|
||||||
return kwargs
|
return kwargs
|
||||||
|
|
||||||
def form_valid(self, form):
|
def form_valid(self, form):
|
||||||
@ -466,8 +475,7 @@ class PasswordResetConfirmView(PasswordContextMixin, FormView):
|
|||||||
|
|
||||||
def get_context_data(self, **kwargs):
|
def get_context_data(self, **kwargs):
|
||||||
context = super(PasswordResetConfirmView, self).get_context_data(**kwargs)
|
context = super(PasswordResetConfirmView, self).get_context_data(**kwargs)
|
||||||
user = context['form'].user
|
if self.validlink:
|
||||||
if user is not None and self.token_generator.check_token(user, self.kwargs['token']):
|
|
||||||
context['validlink'] = True
|
context['validlink'] = True
|
||||||
else:
|
else:
|
||||||
context.update({
|
context.update({
|
||||||
|
@ -255,6 +255,23 @@ class PasswordResetTest(AuthViewsTestCase):
|
|||||||
u = User.objects.get(email='staffmember@example.com')
|
u = User.objects.get(email='staffmember@example.com')
|
||||||
self.assertTrue(not u.check_password("anewpassword"))
|
self.assertTrue(not u.check_password("anewpassword"))
|
||||||
|
|
||||||
|
def test_confirm_invalid_hash(self):
|
||||||
|
"""A POST with an invalid token is rejected."""
|
||||||
|
u = User.objects.get(email='staffmember@example.com')
|
||||||
|
original_password = u.password
|
||||||
|
url, path = self._test_confirm_start()
|
||||||
|
path_parts = path.split('-')
|
||||||
|
path_parts[-1] = ("0") * 20 + '/'
|
||||||
|
path = '-'.join(path_parts)
|
||||||
|
|
||||||
|
response = self.client.post(path, {
|
||||||
|
'new_password1': 'anewpassword',
|
||||||
|
'new_password2': 'anewpassword',
|
||||||
|
})
|
||||||
|
self.assertIs(response.context['validlink'], False)
|
||||||
|
u.refresh_from_db()
|
||||||
|
self.assertEqual(original_password, u.password) # password hasn't changed
|
||||||
|
|
||||||
def test_confirm_complete(self):
|
def test_confirm_complete(self):
|
||||||
url, path = self._test_confirm_start()
|
url, path = self._test_confirm_start()
|
||||||
response = self.client.post(path, {'new_password1': 'anewpassword', 'new_password2': 'anewpassword'})
|
response = self.client.post(path, {'new_password1': 'anewpassword', 'new_password2': 'anewpassword'})
|
||||||
|
Loading…
x
Reference in New Issue
Block a user