Merge branch 'master' of git@github.com:pinax/pinax

pinax/apps/account/forms.py

@@ -6,12 +6,14 @@
 from django.conf import settings
 from django.utils.translation import ugettext_lazy as _, ugettext
 from django.utils.encoding import smart_unicode
+from django.utils.hashcompat import sha_constructor
 
 from misc.utils import get_send_mail
 send_mail = get_send_mail()
 
 from django.contrib.auth import authenticate, login
 from django.contrib.auth.models import User
+from django.contrib.sites.models import Site
 
 from emailconfirmation.models import EmailAddress
 from account.models import Account
@@ -237,37 +239,40 @@ def clean_email(self):
 
     def save(self):
         for user in User.objects.filter(email__iexact=self.cleaned_data["email"]):
-            # make a random password so this account can't be accessed.
-            new_password = User.objects.make_random_password()
-            user.set_password(new_password)
-            user.save()
-
-            # Make the temp key by generating another random password.
-            temp_key = User.objects.make_random_password()
+            temp_key = sha_constructor("%s%s%s" % (
+                settings.SECRET_KEY,
+                user.email,
+                settings.SECRET_KEY,
+            )).hexdigest()
 
             # save it to the password reset model
             password_reset = PasswordReset(user=user, temp_key=temp_key)
             password_reset.save()
 
+            current_site = Site.objects.get_current()
+            domain = unicode(current_site.domain)
+
             #send the password reset email
             subject = _("Password reset email sent")
             message = render_to_string("account/password_reset_key_message.txt", {
                 "user": user,        
                 "temp_key": temp_key,
+                "domain": domain,
             })
             send_mail(subject, message, settings.DEFAULT_FROM_EMAIL, [user.email], priority="high")
         return self.cleaned_data["email"]
 
 class ResetPasswordKeyForm(forms.Form):
 
-    temp_key = forms.CharField(label=_("Temporary Password"), widget=forms.PasswordInput(render_value=False))
     password1 = forms.CharField(label=_("New Password"), widget=forms.PasswordInput(render_value=False))
     password2 = forms.CharField(label=_("New Password (again)"), widget=forms.PasswordInput(render_value=False))
+    temp_key = forms.CharField(widget=forms.HiddenInput)
 
     def clean_temp_key(self):
-        if not PasswordReset.objects.filter(temp_key__exact=self.cleaned_data.get("temp_key"),reset__exact=False).count() == 1:
-            raise forms.ValidationError(_("Please type your temporary password."))
-        return self.cleaned_data["temp_key"]
+        temp_key = self.cleaned_data.get("temp_key")
+        if not PasswordReset.objects.filter(temp_key=temp_key, reset=False).count() == 1:
+            raise forms.ValidationError(_("Temporary key is invalid."))
+        return temp_key
 
     def clean_password2(self):
         if "password1" in self.cleaned_data and "password2" in self.cleaned_data:
@@ -277,16 +282,16 @@ def clean_password2(self):
 
     def save(self):
         # get the password_reset object
-        password_reset = PasswordReset.objects.get(temp_key__exact=self.cleaned_data.get("temp_key"))
+        temp_key = self.cleaned_data.get("temp_key")
+        password_reset = PasswordReset.objects.get(temp_key__exact=temp_key)
 
         # now set the new user password
         user = User.objects.get(passwordreset__exact=password_reset)
-        user.set_password(self.cleaned_data['password1'])
+        user.set_password(self.cleaned_data["password1"])
         user.save()
         user.message_set.create(message=ugettext(u"Password successfully changed."))
 
         # change all the password reset records to this person to be true.
-        #R8kmfcTycq
         for password_reset in PasswordReset.objects.filter(user=user):
             password_reset.reset = True
             password_reset.save()

pinax/apps/account/models.py

@@ -84,4 +84,4 @@ class PasswordReset(models.Model):
     reset = models.BooleanField(_('reset yet?'), default=False)
 
     def __unicode__(self):
-        return 'temp_key for ' + self.user.username
+        return "%s (key=%s, reset=%r)" % (self.user.username, self.temp_key, self.reset)

pinax/apps/account/urls.py

@@ -24,7 +24,7 @@
     url(r'^confirm_email/(\w+)/$', 'emailconfirmation.views.confirm_email', name="acct_confirm_email"),
 
     # Setting the permanent password after getting a key by email
-    url(r'^password_reset_key/$', 'account.views.password_reset_from_key', name="acct_passwd_reset_key"),    
+    url(r'^password_reset_key/(\w+)/$', 'account.views.password_reset_from_key', name="acct_passwd_reset_key"),
 
     # ajax validation
     (r'^validate/$', 'ajax_validation.views.validate', {'form_class': SignupForm}, 'signup_form_validate'),

pinax/apps/account/views.py

@@ -175,15 +175,15 @@ def password_reset(request, form_class=ResetPasswordForm,
         "password_reset_form": password_reset_form,
     }, context_instance=RequestContext(request))
 
-def password_reset_from_key(request, form_class=ResetPasswordKeyForm,
+def password_reset_from_key(request, key, form_class=ResetPasswordKeyForm,
         template_name="account/password_reset_from_key.html"):
     if request.method == "POST":
         password_reset_key_form = form_class(request.POST)
         if password_reset_key_form.is_valid():
             password_reset_key_form.save()
             password_reset_key_form = None
     else:
-        password_reset_key_form = form_class()
+        password_reset_key_form = form_class(initial={"temp_key": key})
 
     return render_to_response(template_name, {
         "form": password_reset_key_form,

pinax/templates/default/account/password_reset_done.html

@@ -11,8 +11,5 @@ <h1>{% trans "Password Reset" %}</h1>
         <p><span class="warning">{% trans "Note" %}</span>: {% blocktrans %}you are already logged in as {{ user }}.{% endblocktrans %}</p>
     {% endif %}
 
-    <p>{% blocktrans %}A new password has been sent to <b>{{ email }}</b>. If you do not receive it within a few minutes, contact us at <a href="mailto:{{ contact_email }}">{{ contact_email }}</a>.{% endblocktrans %}</p>
-
-    {% url acct_login as login_url %}
-    <p>{% blocktrans %}When you receive the new password, you should <a href="{{ login_url }}">log in</a> and change it as soon as possible.{% endblocktrans %}</p>
+    <p>{% blocktrans %}We have sent you an e-mail to <b>{{ email }}</b>. If you do not receive it within a few minutes, contact us at <a href="mailto:{{ contact_email }}">{{ contact_email }}</a>.{% endblocktrans %}</p>
 {% endblock %}

pinax/templates/default/account/password_reset_from_key.html

@@ -7,7 +7,6 @@
 {% block body %}
     <h1>{% trans "Change Password" %}</h1>
 
-
     {{ initial }}
     {% if form %}
         <form method="POST" action="" class="uniForm">

pinax/templates/default/account/password_reset_key_message.txt

@@ -1,12 +1,7 @@
-{% load i18n %}{% blocktrans with user.username as username %}You're receiving this e-mail because you requested a password reset for your user account at Pinax.
+{% load i18n %}{% url acct_passwd_reset_key temp_key as password_reset_url %}{% blocktrans with user.username as username %}You're receiving this e-mail becuase you or someone else has requested a password for your user account at Pinax.
+It can be safely ignored if you did not request a password reset. Click the link below to reset your password.
 
-Your new password reset key is: {{ temp_key }}
-
-You can click on this link to reset your password: 
-
-Your username, in case you've forgotten: {{ username }}
-
-You should log in as soon as possible and change your password.
+http://{{ domain }}{{ password_reset_url }}
 
 Thanks for using our site!
 {% endblocktrans %}