Added an alert on the login form, to be shown if a user's password has been cleared. Adjusted url reverse strings to match the changed view function.

- Legacy-Id: 12918
2017-02-25 15:50:47 +00:00 · 2017-02-25 15:50:47 +00:00 · a94c33fd6e
parent 9f74aca342
commit a94c33fd6e
6 changed files with 48 additions and 14 deletions
--- a/ietf/ietfauth/tests.py
+++ b/ietf/ietfauth/tests.py
@ -62,10 +62,10 @@ class IetfAuthTests(TestCase):
        make_test_data()

        # try logging in without a next
-        r = self.client.get(urlreverse(django.contrib.auth.views.login))
+        r = self.client.get(urlreverse(ietf.ietfauth.views.login))
        self.assertEqual(r.status_code, 200)

-        r = self.client.post(urlreverse(django.contrib.auth.views.login), {"username":"plain", "password":"plain+password"})
+        r = self.client.post(urlreverse(ietf.ietfauth.views.login), {"username":"plain", "password":"plain+password"})
        self.assertEqual(r.status_code, 302)
        self.assertEqual(urlsplit(r["Location"])[2], urlreverse(ietf.ietfauth.views.profile))

@ -75,10 +75,10 @@ class IetfAuthTests(TestCase):

        r = self.client.get(urlreverse(ietf.ietfauth.views.profile))
        self.assertEqual(r.status_code, 302)
-        self.assertEqual(urlsplit(r["Location"])[2], urlreverse(django.contrib.auth.views.login))
+        self.assertEqual(urlsplit(r["Location"])[2], urlreverse(ietf.ietfauth.views.login))

        # try logging in with a next
-        r = self.client.post(urlreverse(django.contrib.auth.views.login) + "?next=/foobar", {"username":"plain", "password":"plain+password"})
+        r = self.client.post(urlreverse(ietf.ietfauth.views.login) + "?next=/foobar", {"username":"plain", "password":"plain+password"})
        self.assertEqual(r.status_code, 302)
        self.assertEqual(urlsplit(r["Location"])[2], "/foobar")

@ -153,7 +153,7 @@ class IetfAuthTests(TestCase):
        email = "new-account@example.com"

        # add whitelist entry
-        r = self.client.post(urlreverse(django.contrib.auth.views.login), {"username":"secretary", "password":"secretary+password"})
+        r = self.client.post(urlreverse(ietf.ietfauth.views.login), {"username":"secretary", "password":"secretary+password"})
        self.assertEqual(r.status_code, 302)
        self.assertEqual(urlsplit(r["Location"])[2], urlreverse(ietf.ietfauth.views.profile))

@ -406,7 +406,7 @@ class IetfAuthTests(TestCase):

        chpw_url = urlreverse(ietf.ietfauth.views.change_password)
        prof_url = urlreverse(ietf.ietfauth.views.profile)
-        login_url = urlreverse(django.contrib.auth.views.login)
+        login_url = urlreverse(ietf.ietfauth.views.login)
        redir_url = '%s?next=%s' % (login_url, chpw_url)

        # get without logging in
@ -453,7 +453,7 @@ class IetfAuthTests(TestCase):

        chun_url = urlreverse(ietf.ietfauth.views.change_username)
        prof_url = urlreverse(ietf.ietfauth.views.profile)
-        login_url = urlreverse(django.contrib.auth.views.login)
+        login_url = urlreverse(ietf.ietfauth.views.login)
        redir_url = '%s?next=%s' % (login_url, chun_url)

        # get without logging in
--- a/ietf/ietfauth/urls.py
+++ b/ietf/ietfauth/urls.py
@ -1,6 +1,6 @@
 # Copyright The IETF Trust 2007, 2009, All Rights Reserved

-from django.contrib.auth.views import login, logout
+from django.contrib.auth.views import logout

 from ietf.ietfauth import views
 from ietf.utils.urls import url
@ -10,7 +10,7 @@ urlpatterns = [
        url(r'^confirmnewemail/(?P<auth>[^/]+)/$', views.confirm_new_email),
        url(r'^create/$', views.create_account),
        url(r'^create/confirm/(?P<auth>[^/]+)/$', views.confirm_account),
-        url(r'^login/$', login),
+        url(r'^login/$', views.login),
        url(r'^logout/$', logout),
        url(r'^password/$', views.change_password),
        url(r'^profile/$', views.profile),
--- a/ietf/ietfauth/views.py
+++ b/ietf/ietfauth/views.py
@ -43,7 +43,10 @@ from django.contrib import messages
 from django.conf import settings
 from django.contrib.auth import update_session_auth_hash
 from django.contrib.auth.decorators import login_required
+from django.contrib.auth.forms import AuthenticationForm
+from django.contrib.auth.hashers import identify_hasher
 from django.contrib.auth.models import User
+from django.contrib.auth.views import login as django_login
 from django.contrib.sites.models import Site
 from django.core.urlresolvers import reverse as urlreverse
 from django.http import Http404, HttpResponseRedirect  #, HttpResponse, 
@ -565,4 +568,29 @@ def change_username(request):
        'user': user,
    })

-    
+
+
+def login(request, extra_context=None):
+    """
+    This login function is a wrapper around django's login() for the purpose
+    of providing a notification if the user's password has been cleared.  The
+    warning will be triggered if the password field has been set to something
+    which is not recognized as a valid password hash.
+    """
+
+    if request.method == "POST":
+        form = AuthenticationForm(request, data=request.POST)
+        username = form.data.get('username')
+        user = User.objects.filter(username=username).first()
+        if user:
+            try:
+                identify_hasher(user.password)
+            except ValueError:
+                extra_context = {"alert":
+                                    "Note: Your password has been cleared because "
+                                    "of possible password leakage.  "
+                                    "Please use the password reset link below "
+                                    "to set a new password for your account.",
+                                }
+
+    return django_login(request, extra_context=extra_context)
--- a/ietf/meeting/tests_js.py
+++ b/ietf/meeting/tests_js.py
@ -5,7 +5,6 @@ import time
 from pyquery import PyQuery 
 from unittest import skipIf

-import django.contrib.auth.views
 from django.contrib.staticfiles.testing import StaticLiveServerTestCase
 from django.core.urlresolvers import reverse as urlreverse
 #from django.test.utils import override_settings
@ -73,7 +72,7 @@ class ScheduleEditTests(StaticLiveServerTestCase):
        return '%s%s'%(self.live_server_url,urlreverse(*args,**kwargs))

    def login(self):
-        url = '%s%s'%(self.live_server_url, urlreverse('django.contrib.auth.views.login'))
+        url = '%s%s'%(self.live_server_url, urlreverse('ietf.ietfauth.views.login'))
        self.driver.get(url)
        self.driver.find_element_by_name('username').send_keys('plain')
        self.driver.find_element_by_name('password').send_keys('plain+password')
@ -127,7 +126,7 @@ class SlideReorderTests(StaticLiveServerTestCase):
        return '%s%s'%(self.live_server_url,urlreverse(*args,**kwargs))

    def secr_login(self):
-        url = '%s%s'%(self.live_server_url, urlreverse(django.contrib.auth.views.login))
+        url = '%s%s'%(self.live_server_url, urlreverse('ietf.ietfauth.views.login'))
        self.driver.get(url)
        self.driver.find_element_by_name('username').send_keys('secretary')
        self.driver.find_element_by_name('password').send_keys('secretary+password')
--- a/ietf/templates/registration/confirm_account.html
+++ b/ietf/templates/registration/confirm_account.html
@ -20,7 +20,7 @@
    <h1>Account creation successful</h1>

    <p>Your account with login {{ email }} has been created, using the password you have selected.</p>
-    <a type="a" class="btn btn-primary" href="{% url "django.contrib.auth.views.login" %}" rel="nofollow">Sign in</a>
+    <a type="a" class="btn btn-primary" href="{% url "ietf.ietfauth.views.login" %}" rel="nofollow">Sign in</a>

  {% else %}
    <h1>Complete account creation</h1>
--- a/ietf/templates/registration/login.html
+++ b/ietf/templates/registration/login.html
@ -12,10 +12,17 @@
  <div class="col-md-8 col-sm-12">
    <h1>Sign in</h1>

+
    <form method="post">
      {% csrf_token %}
      {% bootstrap_form form %}

+      {% if alert %}
+	<p class="alert alert-danger">
+	   {{ alert }}
+	</p>
+      {% endif %}
+
      {% buttons %}
 	<table class="col-md-12">
 	   <tr>