secure email_change view

2013-12-16 13:30:54 +01:00 · 2013-12-16 13:30:54 +01:00 · 01fcbaf67e
parent f6651ba004
commit 01fcbaf67e
2 changed files with 23 additions and 1 deletions
--- a/authentic2/forms.py
+++ b/authentic2/forms.py
@ -37,4 +37,19 @@ class UserProfileForm(forms.ModelForm):
                    and field_name != 'email' ]

 class EmailChangeForm(forms.Form):
+    password = forms.CharField(label=_("Password"),
+                               widget=forms.PasswordInput)
    email = forms.EmailField(label=_('New email'))
+
+    def __init__(self, user, *args, **kwargs):
+        self.user = user
+        super(EmailChangeForm, self).__init__(*args, **kwargs)
+
+    def clean_password(self):
+        password = self.cleaned_data["password"]
+        if not self.user.check_password(password):
+            raise forms.ValidationError(
+                _('Incorrect password.'),
+                code='password_incorrect',
+            )
+        return password
--- a/authentic2/views.py
+++ b/authentic2/views.py
@ -131,6 +131,13 @@ class EmailChangeView(FormView):
    body_template = 'profiles/email_change_body.txt'
    success_url = '../..'

+    def get_form_kwargs(self):
+        kwargs = super(EmailChangeView, self).get_form_kwargs()
+        kwargs.update({
+            'user': self.request.user,
+        })
+        return kwargs
+
    def form_valid(self, form):
        email = form.cleaned_data['email']
        site = get_current_site(self.request)
@ -160,7 +167,7 @@ class EmailChangeView(FormView):
                  'link contained inside.'))
        return super(EmailChangeView, self).form_valid(form)

-email_change = EmailChangeView.as_view()
+email_change = prevent_access_to_transient_users(EmailChangeView.as_view())

 class EmailChangeVerifyView(TemplateView):
    def get(self, request, *args, **kwargs):