← Back to branch summary

~ubuntu-branches/ubuntu/saucy/python-django/saucy-updates

« back to all changes in this revision

Viewing changes to django/contrib/auth/views.py

  • Committer: Bazaar Package Importer
  • Author(s): Chris Lamb
  • Date: 2010-05-21 07:52:55 UTC
  • mfrom: (1.3.6 upstream)
  • mto: This revision was merged to the branch mainline in revision 28.
  • Revision ID: james.westby@ubuntu.com-20100521075255-ii78v1dyfmyu3uzx
Tags: upstream-1.2
ImportĀ upstreamĀ versionĀ 1.2

Show diffs side-by-side

added added

removed removed

Lines of Context:
django/contrib/auth/views.py
 
1
import re
1
2
from django.conf import settings
2
3
from django.contrib.auth import REDIRECT_FIELD_NAME
 
4
# Avoid shadowing the login() view below.
 
5
from django.contrib.auth import login as auth_login
3
6
from django.contrib.auth.decorators import login_required
4
7
from django.contrib.auth.forms import AuthenticationForm
5
8
from django.contrib.auth.forms import PasswordResetForm, SetPasswordForm, PasswordChangeForm
6
9
from django.contrib.auth.tokens import default_token_generator
 
10
from django.views.decorators.csrf import csrf_protect
7
11
from django.core.urlresolvers import reverse
8
12
from django.shortcuts import render_to_response, get_object_or_404
9
13
from django.contrib.sites.models import Site, RequestSite
14
18
from django.contrib.auth.models import User
15
19
from django.views.decorators.cache import never_cache
16
20
 
17
 
def login(request, template_name='registration/login.html', redirect_field_name=REDIRECT_FIELD_NAME):
18
 
    "Displays the login form and handles the login action."
 
21
@csrf_protect
 
22
@never_cache
 
23
def login(request, template_name='registration/login.html',
 
24
          redirect_field_name=REDIRECT_FIELD_NAME,
 
25
          authentication_form=AuthenticationForm):
 
26
    """Displays the login form and handles the login action."""
 
27
 
19
28
    redirect_to = request.REQUEST.get(redirect_field_name, '')
 
29
    
20
30
    if request.method == "POST":
21
 
        form = AuthenticationForm(data=request.POST)
 
31
        form = authentication_form(data=request.POST)
22
32
        if form.is_valid():
23
33
            # Light security check -- make sure redirect_to isn't garbage.
24
 
            if not redirect_to or '//' in redirect_to or ' ' in redirect_to:
 
34
            if not redirect_to or ' ' in redirect_to:
25
35
                redirect_to = settings.LOGIN_REDIRECT_URL
26
 
            from django.contrib.auth import login
27
 
            login(request, form.get_user())
 
36
            
 
37
            # Heavier security check -- redirects to http://example.com should 
 
38
            # not be allowed, but things like /view/?param=http://example.com 
 
39
            # should be allowed. This regex checks if there is a '//' *before* a
 
40
            # question mark.
 
41
            elif '//' in redirect_to and re.match(r'[^\?]*//', redirect_to):
 
42
                    redirect_to = settings.LOGIN_REDIRECT_URL
 
43
            
 
44
            # Okay, security checks complete. Log the user in.
 
45
            auth_login(request, form.get_user())
 
46
 
28
47
            if request.session.test_cookie_worked():
29
48
                request.session.delete_test_cookie()
 
49
 
30
50
            return HttpResponseRedirect(redirect_to)
 
51
 
31
52
    else:
32
 
        form = AuthenticationForm(request)
 
53
        form = authentication_form(request)
 
54
    
33
55
    request.session.set_test_cookie()
 
56
    
34
57
    if Site._meta.installed:
35
58
        current_site = Site.objects.get_current()
36
59
    else:
37
60
        current_site = RequestSite(request)
 
61
    
38
62
    return render_to_response(template_name, {
39
63
        'form': form,
40
64
        redirect_field_name: redirect_to,
41
65
        'site': current_site,
42
66
        'site_name': current_site.name,
43
67
    }, context_instance=RequestContext(request))
44
 
login = never_cache(login)
45
68
 
46
69
def logout(request, next_page=None, template_name='registration/logged_out.html', redirect_field_name=REDIRECT_FIELD_NAME):
47
70
    "Logs out the user and displays 'You are logged out' message."
78
101
#   prompts for a new password
79
102
# - password_reset_complete shows a success message for the above
80
103
 
 
104
@csrf_protect
81
105
def password_reset(request, is_admin_site=False, template_name='registration/password_reset_form.html',
82
106
        email_template_name='registration/password_reset_email.html',
83
107
        password_reset_form=PasswordResetForm, token_generator=default_token_generator,
107
131
def password_reset_done(request, template_name='registration/password_reset_done.html'):
108
132
    return render_to_response(template_name, context_instance=RequestContext(request))
109
133
 
 
134
# Doesn't need csrf_protect since no-one can guess the URL
110
135
def password_reset_confirm(request, uidb36=None, token=None, template_name='registration/password_reset_confirm.html',
111
136
                           token_generator=default_token_generator, set_password_form=SetPasswordForm,
112
137
                           post_reset_redirect=None):
137
162
    else:
138
163
        context_instance['validlink'] = False
139
164
        form = None
140
 
    context_instance['form'] = form    
 
165
    context_instance['form'] = form
141
166
    return render_to_response(template_name, context_instance=context_instance)
142
167
 
143
168
def password_reset_complete(request, template_name='registration/password_reset_complete.html'):
144
169
    return render_to_response(template_name, context_instance=RequestContext(request,
145
170
                                                                             {'login_url': settings.LOGIN_URL}))
146
171
 
 
172
@csrf_protect
 
173
@login_required
147
174
def password_change(request, template_name='registration/password_change_form.html',
148
 
                    post_change_redirect=None):
 
175
                    post_change_redirect=None, password_change_form=PasswordChangeForm):
149
176
    if post_change_redirect is None:
150
177
        post_change_redirect = reverse('django.contrib.auth.views.password_change_done')
151
178
    if request.method == "POST":
152
 
        form = PasswordChangeForm(request.user, request.POST)
 
179
        form = password_change_form(user=request.user, data=request.POST)
153
180
        if form.is_valid():
154
181
            form.save()
155
182
            return HttpResponseRedirect(post_change_redirect)
156
183
    else:
157
 
        form = PasswordChangeForm(request.user)
 
184
        form = password_change_form(user=request.user)
158
185
    return render_to_response(template_name, {
159
186
        'form': form,
160
187
    }, context_instance=RequestContext(request))
161
 
password_change = login_required(password_change)
162
188
 
163
189
def password_change_done(request, template_name='registration/password_change_done.html'):
164
190
    return render_to_response(template_name, context_instance=RequestContext(request))