diff options
| author | 0livd <github@destras.fr> | 2017-12-15 17:10:28 +0100 |
|---|---|---|
| committer | Alexis Metaireau <alexis@notmyidea.org> | 2017-12-15 17:10:28 +0100 |
| commit | 8a68ac0d5b85f896dd59042c207bc63c3d026f7d (patch) | |
| tree | 888f9729d656eb0bec4f2e329301776bd31e1a9e /ihatemoney/web.py | |
| parent | 2866c868d55d197de8c39c34debc878b38929d98 (diff) | |
| download | ihatemoney-mirror-8a68ac0d5b85f896dd59042c207bc63c3d026f7d.zip ihatemoney-mirror-8a68ac0d5b85f896dd59042c207bc63c3d026f7d.tar.gz ihatemoney-mirror-8a68ac0d5b85f896dd59042c207bc63c3d026f7d.tar.bz2 | |
Use token based auth in invitation e-mails (#280)
* Use token based auth in invitation e-mails
Invitation e-mails no longer contain the clear
text project password
* Skip invite page after project creation
- Replace ``The project identifier is demo, remember it!``
by ``Invite other people to join this project!``
(linking to the invite page)
- Encourage users to share the project password via other
communication means in the reminder email
Diffstat (limited to 'ihatemoney/web.py')
| -rw-r--r-- | ihatemoney/web.py | 32 |
1 files changed, 21 insertions, 11 deletions
diff --git a/ihatemoney/web.py b/ihatemoney/web.py index efd843c..c1b1093 100644 --- a/ihatemoney/web.py +++ b/ihatemoney/web.py @@ -151,12 +151,20 @@ def admin(): def authenticate(project_id=None): """Authentication form""" form = AuthenticationForm() - if not form.id.data and request.args.get('project_id'): - form.id.data = request.args['project_id'] - project_id = form.id.data + # Try to get project_id from token first + token = request.args.get('token') + if token: + project_id = Project.verify_token(token, token_type='non_timed_token') + token_auth = True + else: + if not form.id.data and request.args.get('project_id'): + form.id.data = request.args['project_id'] + project_id = form.id.data + token_auth = False if project_id is None: - # User doesn't provide project identifier, return to authenticate form - msg = _("You need to enter a project identifier") + # User doesn't provide project identifier or a valid token + # return to authenticate form + msg = _("You either provided a bad token or no project identifier.") form.errors["id"] = [msg] return render_template("authenticate.html", form=form) @@ -171,11 +179,10 @@ def authenticate(project_id=None): setattr(g, 'project', project) return redirect(url_for(".list_bills")) - if request.method == "POST" and form.validate(): - if not form.password.data == project.password: - msg = _("This private code is not the right one") - form.errors['password'] = [msg] - return render_template("authenticate.html", form=form) + # else do form authentication or token authentication + is_post_auth = request.method == "POST" and form.validate() + is_valid_password = form.password.data == project.password + if is_post_auth and is_valid_password or token_auth: # maintain a list of visited projects if "projects" not in session: session["projects"] = [] @@ -185,6 +192,9 @@ def authenticate(project_id=None): session.update() setattr(g, 'project', project) return redirect(url_for(".list_bills")) + if is_post_auth and not is_valid_password: + msg = _("This private code is not the right one") + form.errors['password'] = [msg] return render_template("authenticate.html", form=form) @@ -250,7 +260,7 @@ def create_project(): # redirect the user to the next step (invite) flash(_("%(msg_compl)sThe project identifier is %(project)s", msg_compl=msg_compl, project=project.id)) - return redirect(url_for(".invite", project_id=project.id)) + return redirect(url_for(".list_bills", project_id=project.id)) return render_template("create_project.html", form=form) |