From 351fa11f182c12ae8db6c7141424b27bda77ba9d Mon Sep 17 00:00:00 2001
From: Nico von Geyso <Nico.Geyso@FU-Berlin.de>
Date: Sat, 29 Sep 2012 13:50:09 +0200
Subject: use post instead of get for service password reset

---
 app.py | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

(limited to 'app.py')

diff --git a/app.py b/app.py
index 855aa37..56731a4 100644
--- a/app.py
+++ b/app.py
@@ -18,6 +18,7 @@ if 'SPLINE_ACCOUNT_WEB_SETTINGS' in os.environ:
 
 app.all_services = account.SERVICES #TODO: take that from our json file or so
 
+
 @app.before_request
 def ldap_connect():
     g.ldap = account.AccountService(app.config['LDAP_HOST'], app.config['LDAP_BASE_DN'],
@@ -181,17 +182,18 @@ def lost_password_complete(token):
 @templated('settings.html')
 @login_required
 def settings():
-    s = request.args.get('delete_service_password', None)
-    if request.method == 'GET' and s:
-        for service in [x for x in app.all_services if x.name == s]:
-          g.user.reset_password(service.id)
-          g.ldap.update(g.user, as_admin=True) #XXX: as_admin wieder wegmachen sobald ACLs richtig gesetzt sind
-
     form = SettingsForm(request.form, mail=g.user.mail)
     if request.method == 'POST' and form.validate():
         changed = False
 
-        if request.form.get('submit_main'):
+        if request.form.get('submit_services'):
+            for service in app.all_services:
+                field = form.get_servicedelete(service.id)
+                if(field.data):
+                    g.user.reset_password(service.id)
+                    changed = True
+
+        elif request.form.get('submit_main'):
             if form.mail.data and form.mail.data != g.user.mail:
                 confirm_token = make_confirmation('change_mail', (g.user.uid, form.mail.data))
                 confirm_link = url_for('change_mail', token=confirm_token, _external=True)
@@ -220,11 +222,11 @@ def settings():
                     changed = True
                     g.user.change_password(field.data, None, service.id)
 
-            if changed:
-                g.ldap.update(g.user, as_admin=True) #XXX: as_admin wieder wegmachen sobald ACLs richtig gesetzt sind
-                return redirect(url_for('settings'))
-            else:
-                flash(u'Nichts geändert.')
+        if changed:
+            g.ldap.update(g.user, as_admin=True) #XXX: as_admin wieder wegmachen sobald ACLs richtig gesetzt sind
+            return redirect(url_for('settings'))
+        else:
+            flash(u'Nichts geändert.')
 
 
     services = deepcopy(app.all_services)
-- 
cgit v1.2.3-1-g7c22