forms: add honeypot field to password reset form (#52883)

This commit is contained in:
Benjamin Dauvergne 2021-04-09 08:32:39 +02:00
parent 7248bea3fe
commit b429cfd794
5 changed files with 36 additions and 4 deletions

View File

@ -26,12 +26,13 @@ from django.utils.translation import ugettext_lazy as _
from .. import app_settings, hooks, models, utils, validators
from ..backends import get_user_queryset
from .fields import CheckPasswordField, NewPasswordField, PasswordField, ValidatedEmailField
from .honeypot import HoneypotForm
from .utils import NextUrlFormMixin
logger = logging.getLogger(__name__)
class PasswordResetForm(forms.Form):
class PasswordResetForm(HoneypotForm):
next_url = forms.CharField(widget=forms.HiddenInput, required=False)
email = ValidatedEmailField(label=_("Email"))

View File

@ -6,7 +6,11 @@
{% endblock %}
{% block content %}
<p><strong>
{% if 'robot' in request.GET %}
<p><strong>{% trans "Your password reset request has been refused." %}</strong>{% trans "Indeed your browser checked a hidden anti-robot checkbox on the registration form. A browser extension may produce this behaviour, in this case disable such extensions and try again." %}</p>
{% else %}
<p>
<strong>
{% blocktrans with email=request.session.reset_email %}
If your email address exists in our database, an email has been sent to {{ email }}.
{% endblocktrans %}
@ -30,7 +34,8 @@
password reset process.
{% endblocktrans %}
{% endblock %}
</p>
</p>
{% endif %}
{% block back %}
<p><a href="{% url 'auth_login' %}">{% trans "Back to login" %}</a></p>
{% endblock %}

View File

@ -7,7 +7,7 @@
{% block content %}
{% if 'robot' in request.GET %}
<p>{% blocktrans %}<strong>Your registration request has been refused.</strong> Indeed your browser checked a hidden anti-robot checkbox on the registration form. A browser extension may produce this behaviour, in this case disable such extensions and try again.{% endblocktrans %}</p>
<p><strong>{% trans "Your registration request has been refused." %}</strong>{% trans "Indeed your browser checked a hidden anti-robot checkbox on the registration form. A browser extension may produce this behaviour, in this case disable such extensions and try again." %}</p>
{% else %}
{% block instructions %}
<p><strong>

View File

@ -667,6 +667,14 @@ class PasswordResetView(FormView):
return ctx
def form_valid(self, form):
if form.is_robot():
return utils.redirect(
self.request,
self.get_success_url(),
params={
'robot': 'on',
},
)
email = form.cleaned_data.get('email') or form.cleaned_data.get('email_or_username')
# if an email has already been sent, warn once before allowing resend

View File

@ -182,3 +182,21 @@ def test_email_validation(app, db):
resp.form.set('email', 'coin@')
resp = resp.form.submit()
assert 'Enter a valid email address.' in resp
def test_honeypot(app, db, settings, mailoutbox):
settings.DEFAULT_FROM_EMAIL = 'show only addr <noreply@example.net>'
url = reverse('password_reset')
response = app.get(url, status=200)
response = app.post(
url,
params={
'email': 'testbot@entrouvert.com',
'csrfmiddlewaretoken': response.context['csrf_token'],
'robotcheck': 'a',
},
)
response = response.follow()
assert len(mailoutbox) == 0
assert 'Your password reset request has been refused' in response