mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-06-05 11:39:13 +00:00
Code Issues 32 Releases Wiki Activity

Refs #17209 -- Fixed token verification for PasswordResetConfirmView POST requests.

Browse Source
This commit is contained in:
Florian Apolloner 2016-11-21 17:21:43 +01:00 committed by Tim Graham
parent 55adfc0760
commit 51eaff6d35
2 changed files with 28 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
django/contrib/auth/views.py
View File

@ -441,6 +441,15 @@ class PasswordResetConfirmView(PasswordContextMixin, FormView):
@method_decorator(never_cache) @method_decorator(never_cache)
def dispatch(self, *args, **kwargs): def dispatch(self, *args, **kwargs):
assert 'uidb64' in kwargs and 'token' in kwargs assert 'uidb64' in kwargs and 'token' in kwargs
self.validlink = False
self.user = self.get_user(kwargs['uidb64'])
if self.user is not None and self.token_generator.check_token(self.user, kwargs['token']):
self.validlink = True
else:
return self.render_to_response(self.get_context_data())
return super(PasswordResetConfirmView, self).dispatch(*args, **kwargs) return super(PasswordResetConfirmView, self).dispatch(*args, **kwargs)
def get_user(self, uidb64): def get_user(self, uidb64):
@ -455,7 +464,7 @@ class PasswordResetConfirmView(PasswordContextMixin, FormView):
def get_form_kwargs(self): def get_form_kwargs(self):
kwargs = super(PasswordResetConfirmView, self).get_form_kwargs() kwargs = super(PasswordResetConfirmView, self).get_form_kwargs()
kwargs['user'] = self.get_user(self.kwargs['uidb64']) kwargs['user'] = self.user
return kwargs return kwargs
def form_valid(self, form): def form_valid(self, form):
@ -466,8 +475,7 @@ class PasswordResetConfirmView(PasswordContextMixin, FormView):
def get_context_data(self, **kwargs): def get_context_data(self, **kwargs):
context = super(PasswordResetConfirmView, self).get_context_data(**kwargs) context = super(PasswordResetConfirmView, self).get_context_data(**kwargs)
user = context['form'].user if self.validlink:
if user is not None and self.token_generator.check_token(user, self.kwargs['token']):
context['validlink'] = True context['validlink'] = True
else: else:
context.update({ context.update({

17
tests/auth_tests/test_views.py
View File

@ -255,6 +255,23 @@ class PasswordResetTest(AuthViewsTestCase):
u = User.objects.get(email='staffmember@example.com') u = User.objects.get(email='staffmember@example.com')
self.assertTrue(not u.check_password("anewpassword")) self.assertTrue(not u.check_password("anewpassword"))
def test_confirm_invalid_hash(self):
"""A POST with an invalid token is rejected."""
u = User.objects.get(email='staffmember@example.com')
original_password = u.password
url, path = self._test_confirm_start()
path_parts = path.split('-')
path_parts[-1] = ("0") * 20 + '/'
path = '-'.join(path_parts)
response = self.client.post(path, {
'new_password1': 'anewpassword',
'new_password2': 'anewpassword',
})
self.assertIs(response.context['validlink'], False)
u.refresh_from_db()
self.assertEqual(original_password, u.password) # password hasn't changed
def test_confirm_complete(self): def test_confirm_complete(self):
url, path = self._test_confirm_start() url, path = self._test_confirm_start()
response = self.client.post(path, {'new_password1': 'anewpassword', 'new_password2': 'anewpassword'}) response = self.client.post(path, {'new_password1': 'anewpassword', 'new_password2': 'anewpassword'})