From 01fcbaf67e2afa73d752a980392d11c68291e268 Mon Sep 17 00:00:00 2001 From: Thomas NOEL Date: Mon, 16 Dec 2013 13:30:54 +0100 Subject: [PATCH] secure email_change view --- authentic2/forms.py | 15 +++++++++++++++ authentic2/views.py | 9 ++++++++- 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/authentic2/forms.py b/authentic2/forms.py index e5241053e..10d580cc4 100644 --- a/authentic2/forms.py +++ b/authentic2/forms.py @@ -37,4 +37,19 @@ class UserProfileForm(forms.ModelForm): and field_name != 'email' ] class EmailChangeForm(forms.Form): + password = forms.CharField(label=_("Password"), + widget=forms.PasswordInput) email = forms.EmailField(label=_('New email')) + + def __init__(self, user, *args, **kwargs): + self.user = user + super(EmailChangeForm, self).__init__(*args, **kwargs) + + def clean_password(self): + password = self.cleaned_data["password"] + if not self.user.check_password(password): + raise forms.ValidationError( + _('Incorrect password.'), + code='password_incorrect', + ) + return password diff --git a/authentic2/views.py b/authentic2/views.py index d6318af66..94714e577 100644 --- a/authentic2/views.py +++ b/authentic2/views.py @@ -131,6 +131,13 @@ class EmailChangeView(FormView): body_template = 'profiles/email_change_body.txt' success_url = '../..' + def get_form_kwargs(self): + kwargs = super(EmailChangeView, self).get_form_kwargs() + kwargs.update({ + 'user': self.request.user, + }) + return kwargs + def form_valid(self, form): email = form.cleaned_data['email'] site = get_current_site(self.request) @@ -160,7 +167,7 @@ class EmailChangeView(FormView): 'link contained inside.')) return super(EmailChangeView, self).form_valid(form) -email_change = EmailChangeView.as_view() +email_change = prevent_access_to_transient_users(EmailChangeView.as_view()) class EmailChangeVerifyView(TemplateView): def get(self, request, *args, **kwargs):