forms: add honeypot field to password reset form (#52883)
This commit is contained in:
parent
7248bea3fe
commit
b429cfd794
|
@ -26,12 +26,13 @@ from django.utils.translation import ugettext_lazy as _
|
|||
from .. import app_settings, hooks, models, utils, validators
|
||||
from ..backends import get_user_queryset
|
||||
from .fields import CheckPasswordField, NewPasswordField, PasswordField, ValidatedEmailField
|
||||
from .honeypot import HoneypotForm
|
||||
from .utils import NextUrlFormMixin
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class PasswordResetForm(forms.Form):
|
||||
class PasswordResetForm(HoneypotForm):
|
||||
next_url = forms.CharField(widget=forms.HiddenInput, required=False)
|
||||
|
||||
email = ValidatedEmailField(label=_("Email"))
|
||||
|
|
|
@ -6,7 +6,11 @@
|
|||
{% endblock %}
|
||||
|
||||
{% block content %}
|
||||
<p><strong>
|
||||
{% if 'robot' in request.GET %}
|
||||
<p><strong>{% trans "Your password reset request has been refused." %}</strong>{% trans "Indeed your browser checked a hidden anti-robot checkbox on the registration form. A browser extension may produce this behaviour, in this case disable such extensions and try again." %}</p>
|
||||
{% else %}
|
||||
<p>
|
||||
<strong>
|
||||
{% blocktrans with email=request.session.reset_email %}
|
||||
If your email address exists in our database, an email has been sent to {{ email }}.
|
||||
{% endblocktrans %}
|
||||
|
@ -30,7 +34,8 @@
|
|||
password reset process.
|
||||
{% endblocktrans %}
|
||||
{% endblock %}
|
||||
</p>
|
||||
</p>
|
||||
{% endif %}
|
||||
{% block back %}
|
||||
<p><a href="{% url 'auth_login' %}">{% trans "Back to login" %}</a></p>
|
||||
{% endblock %}
|
||||
|
|
|
@ -7,7 +7,7 @@
|
|||
|
||||
{% block content %}
|
||||
{% if 'robot' in request.GET %}
|
||||
<p>{% blocktrans %}<strong>Your registration request has been refused.</strong> Indeed your browser checked a hidden anti-robot checkbox on the registration form. A browser extension may produce this behaviour, in this case disable such extensions and try again.{% endblocktrans %}</p>
|
||||
<p><strong>{% trans "Your registration request has been refused." %}</strong>{% trans "Indeed your browser checked a hidden anti-robot checkbox on the registration form. A browser extension may produce this behaviour, in this case disable such extensions and try again." %}</p>
|
||||
{% else %}
|
||||
{% block instructions %}
|
||||
<p><strong>
|
||||
|
|
|
@ -667,6 +667,14 @@ class PasswordResetView(FormView):
|
|||
return ctx
|
||||
|
||||
def form_valid(self, form):
|
||||
if form.is_robot():
|
||||
return utils.redirect(
|
||||
self.request,
|
||||
self.get_success_url(),
|
||||
params={
|
||||
'robot': 'on',
|
||||
},
|
||||
)
|
||||
email = form.cleaned_data.get('email') or form.cleaned_data.get('email_or_username')
|
||||
|
||||
# if an email has already been sent, warn once before allowing resend
|
||||
|
|
|
@ -182,3 +182,21 @@ def test_email_validation(app, db):
|
|||
resp.form.set('email', 'coin@')
|
||||
resp = resp.form.submit()
|
||||
assert 'Enter a valid email address.' in resp
|
||||
|
||||
|
||||
def test_honeypot(app, db, settings, mailoutbox):
|
||||
settings.DEFAULT_FROM_EMAIL = 'show only addr <noreply@example.net>'
|
||||
|
||||
url = reverse('password_reset')
|
||||
response = app.get(url, status=200)
|
||||
response = app.post(
|
||||
url,
|
||||
params={
|
||||
'email': 'testbot@entrouvert.com',
|
||||
'csrfmiddlewaretoken': response.context['csrf_token'],
|
||||
'robotcheck': 'a',
|
||||
},
|
||||
)
|
||||
response = response.follow()
|
||||
assert len(mailoutbox) == 0
|
||||
assert 'Your password reset request has been refused' in response
|
||||
|
|
Loading…
Reference in New Issue