Skip to content

Commit

Permalink
Merge pull request #655 from dannon/password_reset_tweaks
Browse files Browse the repository at this point in the history 
Password reset tweaks
  • Loading branch information
@martenson
martenson committed Aug 27, 2015
2 parents 949b3de + c337fcc commit f5ca24e
Show file tree
Hide file tree
Showing 2 changed files with 36 additions and 31 deletions.
2 changes: 1 addition & 1 deletion lib/galaxy/model/__init__.py
View file
Expand Up @@ -273,7 +273,7 @@ def __init__( self, user, token=None):
else:
self.token = unique_id()
self.user = user
self.expiration_time = datetime.now() + timedelta(hours=24)
self.expiration_time = galaxy.model.orm.now.now() + timedelta(hours=24)


class BaseJobMetric( object ):
Expand Down
65 changes: 35 additions & 30 deletions lib/galaxy/webapps/galaxy/controllers/user.py
View file
Expand Up @@ -15,7 +15,7 @@
eggs.require( "MarkupSafe" )
from markupsafe import escape
eggs.require('sqlalchemy')
from sqlalchemy import and_, or_, true
from sqlalchemy import and_, or_, true, func

from galaxy import model
from galaxy import util
Expand Down Expand Up @@ -45,7 +45,8 @@
"""

PASSWORD_RESET_TEMPLATE = """
To reset your Galaxy password for the instance at %s, use the following link:
To reset your Galaxy password for the instance at %s use the following link,
which will expire %s.
<a href="%s">%s</a>
Expand Down Expand Up @@ -1127,7 +1128,7 @@ def change_password( self, trans, token=None, **kwd):
if token:
# If a token was supplied, validate and set user
token_result = trans.sa_session.query( trans.app.model.PasswordResetToken ).get(token)
if token_result and token_result.expiration_time > datetime.now():
if token_result and token_result.expiration_time > datetime.utcnow():
user = token_result.user
else:
return trans.show_error_message("Invalid or expired password reset token, please request a new one.")
Expand All @@ -1149,7 +1150,7 @@ def change_password( self, trans, token=None, **kwd):
# if we used a token, invalidate it and log the user in.
if token_result:
trans.handle_user_login(token_result.user)
token_result.expiration_time = datetime.now()
token_result.expiration_time = datetime.utcnow()
trans.sa_session.add(token_result)
# Invalidate all other sessions
for other_galaxy_session in trans.sa_session.query( trans.app.model.GalaxySession ) \
Expand Down Expand Up @@ -1177,33 +1178,37 @@ def reset_password( self, trans, email=None, **kwd ):
message = None
status = 'done'
if kwd.get( 'reset_password_button', False ):
# Default to a non-userinfo-leaking response message
message = ( "Your reset request for %s has been received. "
"Please check your email account for more instructions. "
"If you do not receive an email shortly, please contact an administrator." % ( escape( email ) ) )
reset_user = trans.sa_session.query( trans.app.model.User ).filter( trans.app.model.User.table.c.email == email ).first()
if reset_user:
prt = trans.app.model.PasswordResetToken( reset_user )
trans.sa_session.add( prt )
trans.sa_session.flush()
host = trans.request.host.split( ':' )[ 0 ]
if host in [ 'localhost', '127.0.0.1', '0.0.0.0' ]:
host = socket.getfqdn()
reset_url = url_for( controller='user',
action="change_password",
token=prt.token, qualified=True)
body = PASSWORD_RESET_TEMPLATE % ( host, reset_url, reset_url )
frm = trans.app.config.email_from
if frm is None:
frm = 'galaxy-no-reply@' + host
subject = 'Galaxy Password Reset'
try:
util.send_mail( frm, email, subject, body, trans.app.config )
trans.sa_session.add( reset_user )
message = validate_email(trans, email, check_dup=False)
if not message:
# Default to a non-userinfo-leaking response message
message = ( "Your reset request for %s has been received. "
"Please check your email account for more instructions. "
"If you do not receive an email shortly, please contact an administrator." % ( escape( email ) ) )
reset_user = trans.sa_session.query( trans.app.model.User ).filter( trans.app.model.User.table.c.email == email ).first()
if not reset_user:
# Perform a case-insensitive check only if the user wasn't found
reset_user = trans.sa_session.query( trans.app.model.User ).filter( func.lower(trans.app.model.User.table.c.email) == func.lower(email) ).first()
if reset_user:
prt = trans.app.model.PasswordResetToken( reset_user )
trans.sa_session.add( prt )
trans.sa_session.flush()
trans.log_event( "User reset password: %s" % email )
except Exception:
log.exception( 'Unable to reset password.' )
host = trans.request.host.split( ':' )[ 0 ]
if host in [ 'localhost', '127.0.0.1', '0.0.0.0' ]:
host = socket.getfqdn()
reset_url = url_for( controller='user',
action="change_password",
token=prt.token, qualified=True)
body = PASSWORD_RESET_TEMPLATE % ( host, prt.expiration_time.strftime(trans.app.config.pretty_datetime_format),
reset_url, reset_url )
frm = trans.app.config.email_from or 'galaxy-no-reply@' + host
subject = 'Galaxy Password Reset'
try:
util.send_mail( frm, email, subject, body, trans.app.config )
trans.sa_session.add( reset_user )
trans.sa_session.flush()
trans.log_event( "User reset password: %s" % email )
except Exception:
log.exception( 'Unable to reset password.' )
return trans.fill_template( '/user/reset_password.mako',
message=message,
status=status )
Expand Down

0 comments on commit f5ca24e

Please sign in to comment.