Ticket #6083: 03-newforms-auth.diff

django/contrib/auth/newforms.py

@@ +1 @@
+import base64, md5
+import cPickle as pickle
+
+from django.conf import settings
+from django.contrib.auth import authenticate
+from django.contrib.auth.models import User
+from django.contrib.sites.models import Site
+from django import newforms as forms
+from django.template import Context, loader
+from django.utils.translation import ugettext as _
+
+class UserCreationForm(forms.ModelForm):
+    "A form that creates a user, with no privileges, from the given username and password."
+    # TODO: Model level validation should simplify this form.
+    username = forms.RegexField(label=_('Username'), max_length=30, regex=r'^\w+$',
+        error_message=_("This value must contain only letters, numbers and underscores."))
+    password = forms.CharField(label=_('Password'), max_length=60, widget=forms.PasswordInput)
+    password2 = forms.CharField(label=_('Password confirmation'), max_length=60, widget=forms.PasswordInput)
+
+    class Meta:
+        model = User
+        fields = 'username', 'password', 'password2',
+
+    def clean_username(self):
+        username = self.cleaned_data.get('username')
+        if username:
+            if User.objects.filter(username=username):
+                raise forms.ValidationError(_("A user with that username already exists."))
+        return username
+
+    def clean_password2(self):
+        password = self.cleaned_data.get('password')
+        password2 = self.cleaned_data.get('password2')
+        if password and password2:
+            if password != password2:
+                raise forms.ValidationError(_("The two password fields didn't match."))
+        return password2
+
+    def save(self, commit=True):
+        user = super(UserCreationForm, self).save(commit=False)
+        user.set_password(self.cleaned_data['password'])
+        if commit:
+            user.save()
+        return user
+
+class AuthenticationForm(forms.Form):
+    """
+    Base class for authenticating users.
+    """
+    username = forms.CharField(max_length=30)
+    password = forms.CharField(widget=forms.PasswordInput, max_length=30)
+
+    def __init__(self, request=None, *args, **kwargs):
+        self.request = request
+        self.user_cache = None
+        if self.request:
+            self.request.session.set_test_cookie()
+        super(AuthenticationForm, self).__init__(*args, **kwargs)
+
+    def clean(self):
+        username = self.cleaned_data.get('username')
+        password = self.cleaned_data.get('password')
+        if username and password:
+            self.user_cache = authenticate(username=username, password=password)
+            if self.user_cache is None:
+                raise forms.ValidationError(_("Please enter a correct username and password. Note that both fields are case-sensitive."))
+            if not self.user_cache.is_active:
+                raise forms.ValidationError(_("This account is inactive."))
+        if self.request:
+            if not self.request.session.test_cookie_worked():
+                raise forms.ValidationError(_("Your Web browser doesn't appear to have cookies enabled. Cookies are required for logging in."))
+            self.request.session.delete_test_cookie()
+        return self.cleaned_data
+
+    def get_user_id(self):
+        if self.user_cache:
+            return self.user_cache.id
+        else:
+            return None
+
+    def get_user(self):
+        return self.user_cache
+
+class RedirectionAuthenticationForm(AuthenticationForm):
+    """
+    Authentication form with field for redirection url.
+    """
+    redirect_to = forms.CharField(required=False, widget=forms.HiddenInput)
+
+    def initial_redirect_to(request, redirect_field_name):
+        return request.REQUEST.get(redirect_field_name)
+    initial_redirect_to = staticmethod(initial_redirect_to)
+
+    def clean_redirect_to(self):
+        redirect_to = self.cleaned_data.get('redirect_to')
+        # Light security check -- make sure redirect_to isn't garbage.
+        if not redirect_to or '//' in redirect_to or ' ' in redirect_to:
+            return settings.LOGIN_REDIRECT_URL
+        else:
+            return redirect_to
+
+class PostDataAuthenticationForm(AuthenticationForm):
+    """
+    Authentication form with field for post data.
+    """
+    post_data = forms.CharField(required=False, widget=forms.HiddenInput)
+    LOGIN_FORM_KEY = forms.CharField(required=False, widget=forms.HiddenInput)
+
+    def initial_post_data(request):
+        pickled = pickle.dumps(request.POST)
+        pickled_md5 = md5.new(pickled + settings.SECRET_KEY).hexdigest()
+        return base64.encodestring(pickled + pickled_md5)
+    initial_post_data = staticmethod(initial_post_data)
+
+    def clean_post_data(self):
+        post_data = self.cleaned_data.get('post_data')
+        if post_data:
+            encoded_data = base64.decodestring(post_data)
+            pickled, pickled_md5 = encoded_data[:-32], encoded_data[-32:]
+            if md5.new(pickled + settings.SECRET_KEY).hexdigest() != pickled_md5:
+                # User may have tampered with session cookie.
+                return None
+            return pickle.loads(pickled)
+        else:
+            return None
+
+class PasswordChangeForm(forms.Form):
+    "A form that lets a user change his password."
+    old_password = forms.CharField(widget=forms.PasswordInput, max_length=30)
+    new_password = forms.CharField(widget=forms.PasswordInput, max_length=30)
+    new_password2 = forms.CharField(widget=forms.PasswordInput, max_length=30)
+
+    def __init__(self, user, *args, **kwargs):
+        self.user = user
+        super(PasswordChangeForm, self).__init__(*args, **kwargs)
+
+    def clean_old_password(self):
+        old_password = self.cleaned_data.get('old_password')
+        if old_password:
+            if not self.user.check_password(old_password):
+                raise forms.ValidationError(_("Your old password was entered incorrectly. Please enter it again."))
+        return old_password
+
+    def clean_password2(self):
+        new_password = self.cleaned_data.get('new_password')
+        new_password2 = self.cleaned_data.get('new_password2')
+        if new_password and new_password2:
+            if new_password != new_password2:
+                raise forms.ValidationError(_("The two 'new password' fields didn't match."))
+        return new_password2
+
+    def save(self, commit=True):
+        self.user.set_password(self.cleaned_data['new_password'])
+        if commit:
+            return self.user.save()
+        return self.user
+
+class PasswordResetForm(forms.Form):
+    "A form that lets a user request a password reset"
+    email = forms.EmailField()
+
+    def clean_email(self):
+        "Validates that a user exists with the given e-mail address"
+        email = self.cleaned_data.get('email')
+        if email:
+            self.users_cache = User.objects.filter(email__iexact=email)
+            if len(self.users_cache) == 0:
+                raise forms.ValidationError(_("That e-mail address doesn't have an associated user account. Are you sure you've registered?"))
+
+    def save(self, email_template_name='registration/password_reset_email.html', domain_override=None):
+        "Calculates a new password randomly and sends it to the user"
+        from django.core.mail import send_mail
+        for user in self.users_cache:
+            new_pass = User.objects.make_random_password()
+            user.set_password(new_pass)
+            user.save()
+            if not domain_override:
+                current_site = Site.objects.get_current()
+                site_name = current_site.name
+                domain = current_site.domain
+            else:
+                site_name = domain = domain_override
+            t = loader.get_template(email_template_name)
+            c = {
+                'new_password': new_pass,
+                'email': user.email,
+                'domain': domain,
+                'site_name': site_name,
+                'user': user,
+            }
+            send_mail(_('Password reset on %s') % site_name, t.render(Context(c)), None, [user.email])

django/contrib/auth/newviews.py

@@ +1 @@
+from django.contrib.auth import REDIRECT_FIELD_NAME
+from django.contrib.auth.newforms import RedirectionAuthenticationForm
+from django.contrib.auth.newforms import PostDataAuthenticationForm
+from django.contrib.auth.newforms import PasswordChangeForm
+from django.contrib.auth.newforms import PasswordResetForm
+from django.http import HttpResponseRedirect
+from django.shortcuts import render_to_response
+from django.template import RequestContext
+
+def _get_context(request, extra_context=None, **kwargs):
+    context = RequestContext(request)
+    context.update(kwargs)
+    if extra_context:
+        context.update(extra_context)
+    return context
+
+def login(request, template_name='registration/login.html', redirect_field_name=REDIRECT_FIELD_NAME, extra_context=None):
+    "Displays the login form and handles the login action."
+    if request.method == 'POST':
+        form = RedirectionAuthenticationForm(request, request.POST)
+        if form.is_valid():
+            from django.contrib.auth import login
+            login(request, form.get_user())
+            return HttpResponseRedirect(form.cleaned_data['redirect_to'])
+    else:
+        initial = {'redirect_to': RedirectionAuthenticationForm.initial_redirect_to(request, redirect_field_name)}
+        form = RedirectionAuthenticationForm(request, initial=initial)
+    return render_to_response(template_name, context_instance=_get_context(request, extra_context, form=form))
+
+def login_with_post_data(request, view_func, view_func_args, view_func_kwargs, template_name='registration/login.html', extra_context=None):
+    if request.method == 'POST':
+        if 'LOGIN_FORM_KEY' in request.POST:
+            form = PostDataAuthenticationForm(request, request.POST)
+            if form.is_valid():
+                from django.contrib.auth import login
+                login(request, form.get_user())
+                request.POST = form.cleaned_data['post_data']
+                return view_func(request, *view_func_args, **view_func_kwargs)
+        else:
+            initial = {'post_data': PostDataAuthenticationForm.initial_post_data(request)}
+            form = PostDataAuthenticationForm(request, initial=initial)
+    else:
+        form = PostDataAuthenticationForm(request)
+    return render_to_response(template_name, context_instance=_get_context(request, extra_context, form=form))
+
+def logout(request, template_name='registration/logged_out.html', next_page=None, extra_context=None):
+    "Logs out the user and displays 'You are logged out' message."
+    from django.contrib.auth import logout
+    logout(request)
+    if next_page is None:
+        return render_to_response(template_name, context_instance=_get_context(request, extra_context))
+    else:
+        # Redirect to this page until the session has been cleared.
+        return HttpResponseRedirect(next_page or request.path)
+
+def logout_then_login(request, login_url=None):
+    "Logs out the user if he is logged in. Then redirects to the log-in page."
+    if not login_url:
+        from django.conf import settings
+        login_url = settings.LOGIN_URL
+    return logout(request, next_page=login_url)
+
+def redirect_to_login(next, login_url=None, redirect_field_name=REDIRECT_FIELD_NAME):
+    "Redirects the user to the login page, passing the given 'next' page"
+    if not login_url:
+        from django.conf import settings
+        login_url = settings.LOGIN_URL
+    return HttpResponseRedirect('%s?%s=%s' % (login_url, redirect_field_name, next))
+
+def password_change(request, template_name='registration/password_change_form.html', next_page=None, extra_context=None):
+    if request.method == 'POST':
+        form = PasswordChangeForm(request.user, request.POST)
+        if form.is_valid():
+            form.save()
+            return HttpResponseRedirect(next_page or '%sdone/' % request.path)
+    else:
+        form = PasswordChangeForm(request.user)
+    context = RequestContext(request)
+    return render_to_response(template_name, context_instance=_get_context(request, extra_context, form=form))
+
+def password_change_done(request, template_name='registration/password_change_done.html', extra_context=None):
+    return render_to_response(template_name, context_instance=_get_context(request, extra_context))
+
+def password_reset(request, template_name='registration/password_reset_form.html', next_page=None, extra_context=None,
+        email_template_name='registration/password_reset_email.html', domain_override=None):
+    if request.method == 'POST':
+        form = PasswordResetForm(request.POST)
+        if form.is_valid():
+            form.save(email_template_name=email_template_name, domain_override=domain_override)
+            return HttpResponseRedirect(next_page or '%sdone/' % request.path)
+    else:
+        form = PasswordResetForm()
+    return render_to_response(template_name, context_instance=_get_context(request, extra_context, form=form))
+
+def password_reset_done(request, template_name='registration/password_reset_done.html', extra_context=None):
+    return render_to_response(template_name, context_instance=_get_context(request, extra_context))

django/contrib/auth/decorators.py

@@ -2 +2 @@
-from django.http import HttpResponseRedirect
-from django.utils.http import urlquote
-
-
+
+
-    """
-    Decorator for views that checks that the user passes the given test,
-    redirecting to the log-in page if necessary. The test should be a callable
-    that takes the user object and returns True if the user passes.
+    If post data is True, there is no redirection but login funcion is used.
-    """
-    def decorate(view_func):
-
+
+
-    return decorate
-
-
+
+
-    """
-    Decorator for views that checks that the user is logged in, redirecting
-    to the log-in page if necessary.
-    """
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-    """
-    Decorator for views that checks whether a user has a particular permission
-    enabled, redirecting to the log-in page if necessary.
-    """
-
+
+
-
-class _CheckLogin(object):
-    """
@@ -43 +61 @@
-    _CheckLogin object is used as a method decorator, the view function
-    is properly bound to its instance.
-    """
-
+
+
-        if not login_url:
-            from django.conf import settings
-            login_url = settings.LOGIN_URL
+        if not redirect_field_name:
+            redirect_field_name = REDIRECT_FIELD_NAME
+        if not login_func:
+            from django.contrib.auth.newviews import login_with_post_data
+            login_func = login_with_post_data
-        self.view_func = view_func
-        self.test_func = test_func
-        self.login_url = login_url
-        self.redirect_field_name = redirect_field_name
+        self.post_data = post_data
+        self.login_func = login_func
+        self.login_func_kwargs = login_func_kwargs
-        self.__name__ = view_func.__name__
-
+
-    def __get__(self, obj, cls=None):
-        view_func = self.view_func.__get__(obj, cls)
-
-
+
+
+
-    def __call__(self, request, *args, **kwargs):
-        if self.test_func(request.user):
-            return self.view_func(request, *args, **kwargs)
-
-
-
+
+
+
+
+
+
+