Commit 4a79b736 authored by Antoine Bernard's avatar Antoine Bernard

[reset_pw] On vérifie le token *avant* de servir la page.

parent c52b5bd5
......@@ -155,10 +155,15 @@ class PasswordResetConfirmView(FormView):
success_url = reverse_lazy("password_reset:password_reset_complete")
template_name = 'password_reset/password_reset_confirm.html'
def get(self, request, *args, **kwargs):
def get(self, request, uidb64=None, token=None, *args, **kwargs):
if not request.user.is_anonymous():
messages.error(request, _(u"Vous devez vous déconnecter pour accédez à cette page"))
return redirect(reverse_lazy('index'))
# On vérifie le token avant de servir la page.
if not self.is_token_valid(request, uidb64, token):
return redirect(reverse_lazy("password_reset:password_reset"))
return render(
request,
"password_reset/password_reset_confirm.html",
......@@ -172,6 +177,25 @@ class PasswordResetConfirmView(FormView):
form for entering a new password.
"""
form = self.form_class(request.POST)
# On vérifie le token avant de servir la page.
if not self.is_token_valid(request, uidb64, token):
return redirect(reverse_lazy("password_reset:password_reset"))
# On vérifie la validité du formulaire
if form.is_valid() and form.apply(user):
user.history_gen()
user.save()
messages.success(request, _(u'Le mot de passe a été réinitialisé'))
return self.form_valid(form)
else:
messages.error(request, _(u'La réinitialisation de mot de passe a échoué'))
return self.form_invalid(form)
def is_token_valid(self, request, uidb64, token):
"""
Check if a given token is valid or not.
"""
assert uidb64 is not None and token is not None
try:
uid = urlsafe_base64_decode(uidb64)
......@@ -182,17 +206,10 @@ class PasswordResetConfirmView(FormView):
# Si `user` existe et le `token` n'a pas expiré.
if user is not None and self.token_generator.check_token(user, token):
if form.is_valid() and form.apply(user):
user.history_gen()
user.save()
messages.success(request, _(u'Le mot de passe a été réinitialisé'))
return self.form_valid(form)
else:
messages.error(request, _(u'La réinitialisation de mot de passe a échoué'))
return self.form_invalid(form)
else:
messages.error(request, _(u"Le token de réinitialisation n'est plus valide."))
return redirect(reverse_lazy("password_reset:password_reset"))
return True
# Sinon
messages.error(request, _(u"Le token de réinitialisation n'est plus valide."))
return False
password_reset_confirm = PasswordResetConfirmView.as_view()
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment