diff options
author | Alexander Sulfrian <alexander@sulfrian.net> | 2016-01-24 16:45:57 +0100 |
---|---|---|
committer | Alexander Sulfrian <alexander@sulfrian.net> | 2016-02-02 04:22:16 +0100 |
commit | ff2536dcdd308750bbc14242a27f555211c00a78 (patch) | |
tree | cf12d45bad58054750479b278686cc20dbeee66b /accounts/views | |
parent | 152bc7c3155ad3bb44bb3d9b14f8ad1854f09961 (diff) | |
download | web-ff2536dcdd308750bbc14242a27f555211c00a78.tar.gz web-ff2536dcdd308750bbc14242a27f555211c00a78.tar.bz2 web-ff2536dcdd308750bbc14242a27f555211c00a78.zip |
Use URLSafeTimedSerializer for confirmation token
Diffstat (limited to 'accounts/views')
-rw-r--r-- | accounts/views/default/__init__.py | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/accounts/views/default/__init__.py b/accounts/views/default/__init__.py index 0074cd9..64c855f 100644 --- a/accounts/views/default/__init__.py +++ b/accounts/views/default/__init__.py @@ -8,6 +8,7 @@ from flask import current_app, redirect, request, g, flash, url_for from accounts.forms import LoginForm, RegisterForm, RegisterCompleteForm, \ LostPasswordForm, SettingsForm from accounts.utils import * +from accounts.utils.confirmation import Confirmation from accounts.models import Account @@ -53,7 +54,7 @@ def register(): @logout_required def register_complete(token): #TODO: check for double uids and mail - username, mail = http_verify_confirmation('register', token.encode('ascii'), timeout=3*24*60*60) + username, mail = Confirmation('register').loads_http(token, max_age=3*24*60*60) try: current_app.user_backend.get_by_uid(username) @@ -102,7 +103,7 @@ def lost_password(): if form.validate_on_submit(): #TODO: make the link only usable once (e.g include a hash of the old pw) # atm the only thing we do is make the link valid for only little time - confirm_token = make_confirmation('lost_password', (form.user.uid,)) + confirm_token = Confirmation('lost_password').dumps(form.user.uid) confirm_link = url_for('.lost_password_complete', token=confirm_token, _external=True) body = render_template('mail/lost_password.txt', username=form.user.uid, @@ -124,7 +125,7 @@ def lost_password(): @templated('lost_password_complete.html') @logout_required def lost_password_complete(token): - username, = http_verify_confirmation('lost_password', token.encode('ascii'), timeout=4*60*60) + username = Confirmation('lost_password').loads_http(token, max_age=4*60*60) form = RegisterCompleteForm(request.form) if form.validate_on_submit(): @@ -162,7 +163,7 @@ def settings(): elif request.form.get('submit_main'): if form.mail.data and form.mail.data != g.user.attributes['mail']: - confirm_token = make_confirmation('change_mail', (g.user.uid, form.mail.data)) + confirm_token = Confirmation('change_mail').dumps((g.user.uid, form.mail.data)) confirm_link = url_for('.change_mail', token=confirm_token, _external=True) body = render_template('mail/change_mail.txt', username=g.user.uid, @@ -210,7 +211,7 @@ def settings(): @bp.route('/settings/change_mail/<token>') @login_required def change_mail(token): - username, mail = http_verify_confirmation('change_mail', token.encode('ascii'), timeout=3*24*60*60) + username, mail = Confirmation('change_mail').loads_http(token, max_age=3*24*60*60) if g.user.uid != username: raise Forbidden(u'Bitte logge dich als der Benutzer ein, dessen E-Mail-Adresse du ändern willst.') |