diff options
| author | 0livd <github@destras.fr> | 2017-10-26 19:46:34 +0200 |
|---|---|---|
| committer | Alexis Metaireau <alexis@notmyidea.org> | 2017-10-26 19:46:34 +0200 |
| commit | b94bad829c1fd4b4325a4af280d33d50f164e05f (patch) | |
| tree | e1d090759cdd248f1511bd349d7ff26b180e1529 /ihatemoney/web.py | |
| parent | b4961f646a6e265451aa414df9fb0d58b552ffdf (diff) | |
| download | ihatemoney-mirror-b94bad829c1fd4b4325a4af280d33d50f164e05f.zip ihatemoney-mirror-b94bad829c1fd4b4325a4af280d33d50f164e05f.tar.gz ihatemoney-mirror-b94bad829c1fd4b4325a4af280d33d50f164e05f.tar.bz2 | |
Use token based auth to reset passwords (#269)
Send a mail containing a password reset
token link instead of sending a clear text
password.
Ref #232
Diffstat (limited to 'ihatemoney/web.py')
| -rw-r--r-- | ihatemoney/web.py | 29 |
1 files changed, 26 insertions, 3 deletions
diff --git a/ihatemoney/web.py b/ihatemoney/web.py index 92b7ddc..7e4c563 100644 --- a/ihatemoney/web.py +++ b/ihatemoney/web.py @@ -24,7 +24,7 @@ from functools import wraps from ihatemoney.models import db, Project, Person, Bill from ihatemoney.forms import ( AdminAuthenticationForm, AuthenticationForm, EditProjectForm, - InviteForm, MemberForm, PasswordReminder, ProjectForm, get_billform_for, + InviteForm, MemberForm, PasswordReminder, ResetPasswordForm, ProjectForm, get_billform_for, ExportForm ) from ihatemoney.utils import Redirect303, list_of_dicts2json, list_of_dicts2csv, LoginThrottler @@ -263,17 +263,40 @@ def remind_password(): # get the project project = Project.query.get(form.id.data) - # send the password reminder + # send a link to reset the password password_reminder = "password_reminder.%s" % get_locale().language current_app.mail.send(Message( "password recovery", body=render_template(password_reminder, project=project), recipients=[project.contact_email])) - flash(_("a mail has been sent to you with the password")) + flash(_("A link to reset your password has been sent to your email.")) return render_template("password_reminder.html", form=form) +@main.route('/reset-password', methods=['GET', 'POST']) +def reset_password(): + form = ResetPasswordForm() + token = request.args.get('token') + if not token: + return render_template('reset_password.html', form=form, error=_("No token provided")) + project_id = Project.verify_token(token) + if not project_id: + return render_template('reset_password.html', form=form, error=_("Invalid token")) + project = Project.query.get(project_id) + if not project: + return render_template('reset_password.html', form=form, error=_("Unknown project")) + + if request.method == "POST": + if form.validate(): + project.password = form.password.data + db.session.add(project) + db.session.commit() + flash(_("Password successfully reset.")) + return redirect(url_for(".home")) + return render_template('reset_password.html', form=form) + + @main.route("/<project_id>/edit", methods=["GET", "POST"]) def edit_project(): edit_form = EditProjectForm() |