395 lines
14 KiB
Python
395 lines
14 KiB
Python
import warnings
|
|
from urllib.parse import urlparse, urlunparse
|
|
|
|
from django.conf import settings
|
|
|
|
# Avoid shadowing the login() and logout() views below.
|
|
from django.contrib.auth import REDIRECT_FIELD_NAME, get_user_model
|
|
from django.contrib.auth import login as auth_login
|
|
from django.contrib.auth import logout as auth_logout
|
|
from django.contrib.auth import update_session_auth_hash
|
|
from django.contrib.auth.decorators import login_required
|
|
from django.contrib.auth.forms import (
|
|
AuthenticationForm,
|
|
PasswordChangeForm,
|
|
PasswordResetForm,
|
|
SetPasswordForm,
|
|
)
|
|
from django.contrib.auth.tokens import default_token_generator
|
|
from django.contrib.sites.shortcuts import get_current_site
|
|
from django.core.exceptions import ImproperlyConfigured, ValidationError
|
|
from django.http import HttpResponseRedirect, QueryDict
|
|
from django.shortcuts import resolve_url
|
|
from django.urls import reverse_lazy
|
|
from django.utils.decorators import method_decorator
|
|
from django.utils.deprecation import RemovedInDjango50Warning
|
|
from django.utils.http import url_has_allowed_host_and_scheme, urlsafe_base64_decode
|
|
from django.utils.translation import gettext_lazy as _
|
|
from django.views.decorators.cache import never_cache
|
|
from django.views.decorators.csrf import csrf_protect
|
|
from django.views.decorators.debug import sensitive_post_parameters
|
|
from django.views.generic.base import TemplateView
|
|
from django.views.generic.edit import FormView
|
|
|
|
UserModel = get_user_model()
|
|
|
|
|
|
class RedirectURLMixin:
|
|
next_page = None
|
|
redirect_field_name = REDIRECT_FIELD_NAME
|
|
success_url_allowed_hosts = set()
|
|
|
|
def get_success_url(self):
|
|
return self.get_redirect_url() or self.get_default_redirect_url()
|
|
|
|
def get_redirect_url(self):
|
|
"""Return the user-originating redirect URL if it's safe."""
|
|
redirect_to = self.request.POST.get(
|
|
self.redirect_field_name, self.request.GET.get(self.redirect_field_name)
|
|
)
|
|
url_is_safe = url_has_allowed_host_and_scheme(
|
|
url=redirect_to,
|
|
allowed_hosts=self.get_success_url_allowed_hosts(),
|
|
require_https=self.request.is_secure(),
|
|
)
|
|
return redirect_to if url_is_safe else ""
|
|
|
|
def get_success_url_allowed_hosts(self):
|
|
return {self.request.get_host(), *self.success_url_allowed_hosts}
|
|
|
|
def get_default_redirect_url(self):
|
|
"""Return the default redirect URL."""
|
|
if self.next_page:
|
|
return resolve_url(self.next_page)
|
|
raise ImproperlyConfigured("No URL to redirect to. Provide a next_page.")
|
|
|
|
|
|
class LoginView(RedirectURLMixin, FormView):
|
|
"""
|
|
Display the login form and handle the login action.
|
|
"""
|
|
|
|
form_class = AuthenticationForm
|
|
authentication_form = None
|
|
template_name = "registration/login.html"
|
|
redirect_authenticated_user = False
|
|
extra_context = None
|
|
|
|
@method_decorator(sensitive_post_parameters())
|
|
@method_decorator(csrf_protect)
|
|
@method_decorator(never_cache)
|
|
def dispatch(self, request, *args, **kwargs):
|
|
if self.redirect_authenticated_user and self.request.user.is_authenticated:
|
|
redirect_to = self.get_success_url()
|
|
if redirect_to == self.request.path:
|
|
raise ValueError(
|
|
"Redirection loop for authenticated user detected. Check that "
|
|
"your LOGIN_REDIRECT_URL doesn't point to a login page."
|
|
)
|
|
return HttpResponseRedirect(redirect_to)
|
|
return super().dispatch(request, *args, **kwargs)
|
|
|
|
def get_default_redirect_url(self):
|
|
"""Return the default redirect URL."""
|
|
if self.next_page:
|
|
return resolve_url(self.next_page)
|
|
else:
|
|
return resolve_url(settings.LOGIN_REDIRECT_URL)
|
|
|
|
def get_form_class(self):
|
|
return self.authentication_form or self.form_class
|
|
|
|
def get_form_kwargs(self):
|
|
kwargs = super().get_form_kwargs()
|
|
kwargs["request"] = self.request
|
|
return kwargs
|
|
|
|
def form_valid(self, form):
|
|
"""Security check complete. Log the user in."""
|
|
auth_login(self.request, form.get_user())
|
|
return HttpResponseRedirect(self.get_success_url())
|
|
|
|
def get_context_data(self, **kwargs):
|
|
context = super().get_context_data(**kwargs)
|
|
current_site = get_current_site(self.request)
|
|
context.update(
|
|
{
|
|
self.redirect_field_name: self.get_redirect_url(),
|
|
"site": current_site,
|
|
"site_name": current_site.name,
|
|
**(self.extra_context or {}),
|
|
}
|
|
)
|
|
return context
|
|
|
|
|
|
class LogoutView(RedirectURLMixin, TemplateView):
|
|
"""
|
|
Log out the user and display the 'You are logged out' message.
|
|
"""
|
|
|
|
# RemovedInDjango50Warning: when the deprecation ends, remove "get" and
|
|
# "head" from http_method_names.
|
|
http_method_names = ["get", "head", "post", "options"]
|
|
template_name = "registration/logged_out.html"
|
|
extra_context = None
|
|
|
|
# RemovedInDjango50Warning: when the deprecation ends, move
|
|
# @method_decorator(csrf_protect) from post() to dispatch().
|
|
@method_decorator(never_cache)
|
|
def dispatch(self, request, *args, **kwargs):
|
|
if request.method.lower() == "get":
|
|
warnings.warn(
|
|
"Log out via GET requests is deprecated and will be removed in Django "
|
|
"5.0. Use POST requests for logging out.",
|
|
RemovedInDjango50Warning,
|
|
)
|
|
return super().dispatch(request, *args, **kwargs)
|
|
|
|
@method_decorator(csrf_protect)
|
|
def post(self, request, *args, **kwargs):
|
|
"""Logout may be done via POST."""
|
|
auth_logout(request)
|
|
redirect_to = self.get_success_url()
|
|
if redirect_to != request.get_full_path():
|
|
# Redirect to target page once the session has been cleared.
|
|
return HttpResponseRedirect(redirect_to)
|
|
return super().get(request, *args, **kwargs)
|
|
|
|
# RemovedInDjango50Warning.
|
|
get = post
|
|
|
|
def get_default_redirect_url(self):
|
|
"""Return the default redirect URL."""
|
|
if self.next_page:
|
|
return resolve_url(self.next_page)
|
|
elif settings.LOGOUT_REDIRECT_URL:
|
|
return resolve_url(settings.LOGOUT_REDIRECT_URL)
|
|
else:
|
|
return self.request.path
|
|
|
|
def get_context_data(self, **kwargs):
|
|
context = super().get_context_data(**kwargs)
|
|
current_site = get_current_site(self.request)
|
|
context.update(
|
|
{
|
|
"site": current_site,
|
|
"site_name": current_site.name,
|
|
"title": _("Logged out"),
|
|
"subtitle": None,
|
|
**(self.extra_context or {}),
|
|
}
|
|
)
|
|
return context
|
|
|
|
|
|
def logout_then_login(request, login_url=None):
|
|
"""
|
|
Log out the user if they are logged in. Then redirect to the login page.
|
|
"""
|
|
login_url = resolve_url(login_url or settings.LOGIN_URL)
|
|
return LogoutView.as_view(next_page=login_url)(request)
|
|
|
|
|
|
def redirect_to_login(next, login_url=None, redirect_field_name=REDIRECT_FIELD_NAME):
|
|
"""
|
|
Redirect the user to the login page, passing the given 'next' page.
|
|
"""
|
|
resolved_url = resolve_url(login_url or settings.LOGIN_URL)
|
|
|
|
login_url_parts = list(urlparse(resolved_url))
|
|
if redirect_field_name:
|
|
querystring = QueryDict(login_url_parts[4], mutable=True)
|
|
querystring[redirect_field_name] = next
|
|
login_url_parts[4] = querystring.urlencode(safe="/")
|
|
|
|
return HttpResponseRedirect(urlunparse(login_url_parts))
|
|
|
|
|
|
# Class-based password reset views
|
|
# - PasswordResetView sends the mail
|
|
# - PasswordResetDoneView shows a success message for the above
|
|
# - PasswordResetConfirmView checks the link the user clicked and
|
|
# prompts for a new password
|
|
# - PasswordResetCompleteView shows a success message for the above
|
|
|
|
|
|
class PasswordContextMixin:
|
|
extra_context = None
|
|
|
|
def get_context_data(self, **kwargs):
|
|
context = super().get_context_data(**kwargs)
|
|
context.update(
|
|
{"title": self.title, "subtitle": None, **(self.extra_context or {})}
|
|
)
|
|
return context
|
|
|
|
|
|
class PasswordResetView(PasswordContextMixin, FormView):
|
|
email_template_name = "registration/password_reset_email.html"
|
|
extra_email_context = None
|
|
form_class = PasswordResetForm
|
|
from_email = None
|
|
html_email_template_name = None
|
|
subject_template_name = "registration/password_reset_subject.txt"
|
|
success_url = reverse_lazy("password_reset_done")
|
|
template_name = "registration/password_reset_form.html"
|
|
title = _("Password reset")
|
|
token_generator = default_token_generator
|
|
|
|
@method_decorator(csrf_protect)
|
|
def dispatch(self, *args, **kwargs):
|
|
return super().dispatch(*args, **kwargs)
|
|
|
|
def form_valid(self, form):
|
|
opts = {
|
|
"use_https": self.request.is_secure(),
|
|
"token_generator": self.token_generator,
|
|
"from_email": self.from_email,
|
|
"email_template_name": self.email_template_name,
|
|
"subject_template_name": self.subject_template_name,
|
|
"request": self.request,
|
|
"html_email_template_name": self.html_email_template_name,
|
|
"extra_email_context": self.extra_email_context,
|
|
}
|
|
form.save(**opts)
|
|
return super().form_valid(form)
|
|
|
|
|
|
INTERNAL_RESET_SESSION_TOKEN = "_password_reset_token"
|
|
|
|
|
|
class PasswordResetDoneView(PasswordContextMixin, TemplateView):
|
|
template_name = "registration/password_reset_done.html"
|
|
title = _("Password reset sent")
|
|
|
|
|
|
class PasswordResetConfirmView(PasswordContextMixin, FormView):
|
|
form_class = SetPasswordForm
|
|
post_reset_login = False
|
|
post_reset_login_backend = None
|
|
reset_url_token = "set-password"
|
|
success_url = reverse_lazy("password_reset_complete")
|
|
template_name = "registration/password_reset_confirm.html"
|
|
title = _("Enter new password")
|
|
token_generator = default_token_generator
|
|
|
|
@method_decorator(sensitive_post_parameters())
|
|
@method_decorator(never_cache)
|
|
def dispatch(self, *args, **kwargs):
|
|
if "uidb64" not in kwargs or "token" not in kwargs:
|
|
raise ImproperlyConfigured(
|
|
"The URL path must contain 'uidb64' and 'token' parameters."
|
|
)
|
|
|
|
self.validlink = False
|
|
self.user = self.get_user(kwargs["uidb64"])
|
|
|
|
if self.user is not None:
|
|
token = kwargs["token"]
|
|
if token == self.reset_url_token:
|
|
session_token = self.request.session.get(INTERNAL_RESET_SESSION_TOKEN)
|
|
if self.token_generator.check_token(self.user, session_token):
|
|
# If the token is valid, display the password reset form.
|
|
self.validlink = True
|
|
return super().dispatch(*args, **kwargs)
|
|
else:
|
|
if self.token_generator.check_token(self.user, token):
|
|
# Store the token in the session and redirect to the
|
|
# password reset form at a URL without the token. That
|
|
# avoids the possibility of leaking the token in the
|
|
# HTTP Referer header.
|
|
self.request.session[INTERNAL_RESET_SESSION_TOKEN] = token
|
|
redirect_url = self.request.path.replace(
|
|
token, self.reset_url_token
|
|
)
|
|
return HttpResponseRedirect(redirect_url)
|
|
|
|
# Display the "Password reset unsuccessful" page.
|
|
return self.render_to_response(self.get_context_data())
|
|
|
|
def get_user(self, uidb64):
|
|
try:
|
|
# urlsafe_base64_decode() decodes to bytestring
|
|
uid = urlsafe_base64_decode(uidb64).decode()
|
|
user = UserModel._default_manager.get(pk=uid)
|
|
except (
|
|
TypeError,
|
|
ValueError,
|
|
OverflowError,
|
|
UserModel.DoesNotExist,
|
|
ValidationError,
|
|
):
|
|
user = None
|
|
return user
|
|
|
|
def get_form_kwargs(self):
|
|
kwargs = super().get_form_kwargs()
|
|
kwargs["user"] = self.user
|
|
return kwargs
|
|
|
|
def form_valid(self, form):
|
|
user = form.save()
|
|
del self.request.session[INTERNAL_RESET_SESSION_TOKEN]
|
|
if self.post_reset_login:
|
|
auth_login(self.request, user, self.post_reset_login_backend)
|
|
return super().form_valid(form)
|
|
|
|
def get_context_data(self, **kwargs):
|
|
context = super().get_context_data(**kwargs)
|
|
if self.validlink:
|
|
context["validlink"] = True
|
|
else:
|
|
context.update(
|
|
{
|
|
"form": None,
|
|
"title": _("Password reset unsuccessful"),
|
|
"validlink": False,
|
|
}
|
|
)
|
|
return context
|
|
|
|
|
|
class PasswordResetCompleteView(PasswordContextMixin, TemplateView):
|
|
template_name = "registration/password_reset_complete.html"
|
|
title = _("Password reset complete")
|
|
|
|
def get_context_data(self, **kwargs):
|
|
context = super().get_context_data(**kwargs)
|
|
context["login_url"] = resolve_url(settings.LOGIN_URL)
|
|
return context
|
|
|
|
|
|
class PasswordChangeView(PasswordContextMixin, FormView):
|
|
form_class = PasswordChangeForm
|
|
success_url = reverse_lazy("password_change_done")
|
|
template_name = "registration/password_change_form.html"
|
|
title = _("Password change")
|
|
|
|
@method_decorator(sensitive_post_parameters())
|
|
@method_decorator(csrf_protect)
|
|
@method_decorator(login_required)
|
|
def dispatch(self, *args, **kwargs):
|
|
return super().dispatch(*args, **kwargs)
|
|
|
|
def get_form_kwargs(self):
|
|
kwargs = super().get_form_kwargs()
|
|
kwargs["user"] = self.request.user
|
|
return kwargs
|
|
|
|
def form_valid(self, form):
|
|
form.save()
|
|
# Updating the password logs out all other sessions for the user
|
|
# except the current one.
|
|
update_session_auth_hash(self.request, form.user)
|
|
return super().form_valid(form)
|
|
|
|
|
|
class PasswordChangeDoneView(PasswordContextMixin, TemplateView):
|
|
template_name = "registration/password_change_done.html"
|
|
title = _("Password change successful")
|
|
|
|
@method_decorator(login_required)
|
|
def dispatch(self, *args, **kwargs):
|
|
return super().dispatch(*args, **kwargs)
|