2012-07-20 21:36:52 +08:00
|
|
|
try:
|
|
|
|
from urllib.parse import urlparse, urlunparse
|
|
|
|
except ImportError: # Python 2
|
|
|
|
from urlparse import urlparse, urlunparse
|
2011-03-02 20:47:44 +08:00
|
|
|
|
2008-08-02 00:13:12 +08:00
|
|
|
from django.conf import settings
|
2008-08-13 07:31:31 +08:00
|
|
|
from django.core.urlresolvers import reverse
|
2011-03-02 20:47:44 +08:00
|
|
|
from django.http import HttpResponseRedirect, QueryDict
|
2011-04-23 02:17:16 +08:00
|
|
|
from django.template.response import TemplateResponse
|
2010-11-28 06:43:33 +08:00
|
|
|
from django.utils.http import base36_to_int
|
Merged Unicode branch into trunk (r4952:5608). This should be fully
backwards compatible for all practical purposes.
Fixed #2391, #2489, #2996, #3322, #3344, #3370, #3406, #3432, #3454, #3492, #3582, #3690, #3878, #3891, #3937, #4039, #4141, #4227, #4286, #4291, #4300, #4452, #4702
git-svn-id: http://code.djangoproject.com/svn/django/trunk@5609 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-07-04 20:11:04 +08:00
|
|
|
from django.utils.translation import ugettext as _
|
2011-06-09 06:18:46 +08:00
|
|
|
from django.views.decorators.debug import sensitive_post_parameters
|
2008-08-16 01:10:14 +08:00
|
|
|
from django.views.decorators.cache import never_cache
|
2011-03-02 20:47:44 +08:00
|
|
|
from django.views.decorators.csrf import csrf_protect
|
|
|
|
|
|
|
|
# Avoid shadowing the login() and logout() views below.
|
|
|
|
from django.contrib.auth import REDIRECT_FIELD_NAME, login as auth_login, logout as auth_logout
|
|
|
|
from django.contrib.auth.decorators import login_required
|
|
|
|
from django.contrib.auth.forms import AuthenticationForm, PasswordResetForm, SetPasswordForm, PasswordChangeForm
|
|
|
|
from django.contrib.auth.models import User
|
|
|
|
from django.contrib.auth.tokens import default_token_generator
|
|
|
|
from django.contrib.sites.models import get_current_site
|
|
|
|
|
2006-05-02 09:31:56 +08:00
|
|
|
|
2011-06-09 06:18:46 +08:00
|
|
|
@sensitive_post_parameters()
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 07:23:07 +08:00
|
|
|
@csrf_protect
|
|
|
|
@never_cache
|
2009-10-12 23:32:24 +08:00
|
|
|
def login(request, template_name='registration/login.html',
|
|
|
|
redirect_field_name=REDIRECT_FIELD_NAME,
|
2010-12-02 08:43:52 +08:00
|
|
|
authentication_form=AuthenticationForm,
|
2010-12-02 08:44:35 +08:00
|
|
|
current_app=None, extra_context=None):
|
2011-03-02 20:47:44 +08:00
|
|
|
"""
|
|
|
|
Displays the login form and handles the login action.
|
|
|
|
"""
|
2007-09-15 03:25:37 +08:00
|
|
|
redirect_to = request.REQUEST.get(redirect_field_name, '')
|
Fixed #14386, #8960, #10235, #10909, #10608, #13845, #14377 - standardize Site/RequestSite usage in various places.
Many thanks to gabrielhurley for putting most of this together. Also to
bmihelac, arthurk, qingfeng, hvendelbo, petr.pulc@s-cape.cz, Hraban for
reports and some initial patches.
The patch also contains some whitespace/PEP8 fixes.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13980 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-04 22:20:47 +08:00
|
|
|
|
2008-07-19 07:54:34 +08:00
|
|
|
if request.method == "POST":
|
2009-10-12 23:32:24 +08:00
|
|
|
form = authentication_form(data=request.POST)
|
2008-07-19 07:54:34 +08:00
|
|
|
if form.is_valid():
|
2012-07-20 21:36:52 +08:00
|
|
|
netloc = urlparse(redirect_to)[1]
|
2010-11-28 06:43:33 +08:00
|
|
|
|
2011-03-02 06:49:18 +08:00
|
|
|
# Use default setting if redirect_to is empty
|
|
|
|
if not redirect_to:
|
2007-04-25 16:49:57 +08:00
|
|
|
redirect_to = settings.LOGIN_REDIRECT_URL
|
Fixed #14386, #8960, #10235, #10909, #10608, #13845, #14377 - standardize Site/RequestSite usage in various places.
Many thanks to gabrielhurley for putting most of this together. Also to
bmihelac, arthurk, qingfeng, hvendelbo, petr.pulc@s-cape.cz, Hraban for
reports and some initial patches.
The patch also contains some whitespace/PEP8 fixes.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13980 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-04 22:20:47 +08:00
|
|
|
|
2011-04-23 02:17:16 +08:00
|
|
|
# Heavier security check -- don't allow redirection to a different
|
2010-11-28 06:43:33 +08:00
|
|
|
# host.
|
|
|
|
elif netloc and netloc != request.get_host():
|
|
|
|
redirect_to = settings.LOGIN_REDIRECT_URL
|
Fixed #14386, #8960, #10235, #10909, #10608, #13845, #14377 - standardize Site/RequestSite usage in various places.
Many thanks to gabrielhurley for putting most of this together. Also to
bmihelac, arthurk, qingfeng, hvendelbo, petr.pulc@s-cape.cz, Hraban for
reports and some initial patches.
The patch also contains some whitespace/PEP8 fixes.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13980 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-04 22:20:47 +08:00
|
|
|
|
2010-03-02 03:58:53 +08:00
|
|
|
# Okay, security checks complete. Log the user in.
|
|
|
|
auth_login(request, form.get_user())
|
|
|
|
|
2008-06-19 00:13:14 +08:00
|
|
|
if request.session.test_cookie_worked():
|
|
|
|
request.session.delete_test_cookie()
|
2010-03-02 03:58:53 +08:00
|
|
|
|
2006-05-02 09:31:56 +08:00
|
|
|
return HttpResponseRedirect(redirect_to)
|
|
|
|
else:
|
2009-10-12 23:32:24 +08:00
|
|
|
form = authentication_form(request)
|
Fixed #14386, #8960, #10235, #10909, #10608, #13845, #14377 - standardize Site/RequestSite usage in various places.
Many thanks to gabrielhurley for putting most of this together. Also to
bmihelac, arthurk, qingfeng, hvendelbo, petr.pulc@s-cape.cz, Hraban for
reports and some initial patches.
The patch also contains some whitespace/PEP8 fixes.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13980 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-04 22:20:47 +08:00
|
|
|
|
2006-05-02 09:31:56 +08:00
|
|
|
request.session.set_test_cookie()
|
Fixed #14386, #8960, #10235, #10909, #10608, #13845, #14377 - standardize Site/RequestSite usage in various places.
Many thanks to gabrielhurley for putting most of this together. Also to
bmihelac, arthurk, qingfeng, hvendelbo, petr.pulc@s-cape.cz, Hraban for
reports and some initial patches.
The patch also contains some whitespace/PEP8 fixes.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13980 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-04 22:20:47 +08:00
|
|
|
|
|
|
|
current_site = get_current_site(request)
|
|
|
|
|
2010-12-02 08:43:52 +08:00
|
|
|
context = {
|
2008-07-19 07:54:34 +08:00
|
|
|
'form': form,
|
2007-09-15 03:25:37 +08:00
|
|
|
redirect_field_name: redirect_to,
|
2009-04-02 00:37:48 +08:00
|
|
|
'site': current_site,
|
2007-08-15 06:08:11 +08:00
|
|
|
'site_name': current_site.name,
|
2010-12-02 08:43:52 +08:00
|
|
|
}
|
2011-04-23 02:17:16 +08:00
|
|
|
if extra_context is not None:
|
|
|
|
context.update(extra_context)
|
|
|
|
return TemplateResponse(request, template_name, context,
|
|
|
|
current_app=current_app)
|
2010-12-02 08:43:52 +08:00
|
|
|
|
|
|
|
def logout(request, next_page=None,
|
|
|
|
template_name='registration/logged_out.html',
|
|
|
|
redirect_field_name=REDIRECT_FIELD_NAME,
|
2010-12-02 08:44:35 +08:00
|
|
|
current_app=None, extra_context=None):
|
2011-03-02 20:47:44 +08:00
|
|
|
"""
|
|
|
|
Logs out the user and displays 'You are logged out' message.
|
|
|
|
"""
|
|
|
|
auth_logout(request)
|
|
|
|
redirect_to = request.REQUEST.get(redirect_field_name, '')
|
|
|
|
if redirect_to:
|
2012-07-20 21:36:52 +08:00
|
|
|
netloc = urlparse(redirect_to)[1]
|
2011-03-02 20:47:44 +08:00
|
|
|
# Security check -- don't allow redirection to a different host.
|
|
|
|
if not (netloc and netloc != request.get_host()):
|
2009-04-02 01:02:32 +08:00
|
|
|
return HttpResponseRedirect(redirect_to)
|
2011-03-02 20:47:44 +08:00
|
|
|
|
|
|
|
if next_page is None:
|
|
|
|
current_site = get_current_site(request)
|
|
|
|
context = {
|
|
|
|
'site': current_site,
|
|
|
|
'site_name': current_site.name,
|
|
|
|
'title': _('Logged out')
|
|
|
|
}
|
2011-04-23 02:17:16 +08:00
|
|
|
if extra_context is not None:
|
|
|
|
context.update(extra_context)
|
|
|
|
return TemplateResponse(request, template_name, context,
|
|
|
|
current_app=current_app)
|
2006-05-02 09:31:56 +08:00
|
|
|
else:
|
|
|
|
# Redirect to this page until the session has been cleared.
|
|
|
|
return HttpResponseRedirect(next_page or request.path)
|
|
|
|
|
2010-12-02 08:44:35 +08:00
|
|
|
def logout_then_login(request, login_url=None, current_app=None, extra_context=None):
|
2011-03-02 20:47:44 +08:00
|
|
|
"""
|
|
|
|
Logs out the user if he is logged in. Then redirects to the log-in page.
|
|
|
|
"""
|
2007-04-25 16:49:57 +08:00
|
|
|
if not login_url:
|
|
|
|
login_url = settings.LOGIN_URL
|
2010-12-02 08:44:35 +08:00
|
|
|
return logout(request, login_url, current_app=current_app, extra_context=extra_context)
|
2006-05-02 09:31:56 +08:00
|
|
|
|
2010-11-28 06:43:33 +08:00
|
|
|
def redirect_to_login(next, login_url=None,
|
|
|
|
redirect_field_name=REDIRECT_FIELD_NAME):
|
2011-03-02 20:47:44 +08:00
|
|
|
"""
|
|
|
|
Redirects the user to the login page, passing the given 'next' page
|
|
|
|
"""
|
2007-04-25 16:49:57 +08:00
|
|
|
if not login_url:
|
|
|
|
login_url = settings.LOGIN_URL
|
2010-11-28 06:43:33 +08:00
|
|
|
|
2012-07-20 21:36:52 +08:00
|
|
|
login_url_parts = list(urlparse(login_url))
|
2010-11-28 06:43:33 +08:00
|
|
|
if redirect_field_name:
|
|
|
|
querystring = QueryDict(login_url_parts[4], mutable=True)
|
|
|
|
querystring[redirect_field_name] = next
|
2010-12-02 06:25:17 +08:00
|
|
|
login_url_parts[4] = querystring.urlencode(safe='/')
|
2010-11-28 06:43:33 +08:00
|
|
|
|
2012-07-20 21:36:52 +08:00
|
|
|
return HttpResponseRedirect(urlunparse(login_url_parts))
|
2006-05-02 09:31:56 +08:00
|
|
|
|
2008-08-01 04:47:53 +08:00
|
|
|
# 4 views for password reset:
|
|
|
|
# - password_reset sends the mail
|
|
|
|
# - password_reset_done shows a success message for the above
|
Fixed #14386, #8960, #10235, #10909, #10608, #13845, #14377 - standardize Site/RequestSite usage in various places.
Many thanks to gabrielhurley for putting most of this together. Also to
bmihelac, arthurk, qingfeng, hvendelbo, petr.pulc@s-cape.cz, Hraban for
reports and some initial patches.
The patch also contains some whitespace/PEP8 fixes.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13980 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-04 22:20:47 +08:00
|
|
|
# - password_reset_confirm checks the link the user clicked and
|
2008-08-01 04:47:53 +08:00
|
|
|
# prompts for a new password
|
|
|
|
# - password_reset_complete shows a success message for the above
|
|
|
|
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 07:23:07 +08:00
|
|
|
@csrf_protect
|
2010-12-02 08:43:52 +08:00
|
|
|
def password_reset(request, is_admin_site=False,
|
|
|
|
template_name='registration/password_reset_form.html',
|
|
|
|
email_template_name='registration/password_reset_email.html',
|
2011-06-19 19:24:39 +08:00
|
|
|
subject_template_name='registration/password_reset_subject.txt',
|
2010-12-02 08:43:52 +08:00
|
|
|
password_reset_form=PasswordResetForm,
|
|
|
|
token_generator=default_token_generator,
|
|
|
|
post_reset_redirect=None,
|
|
|
|
from_email=None,
|
2010-12-02 08:44:35 +08:00
|
|
|
current_app=None,
|
2010-12-02 08:43:52 +08:00
|
|
|
extra_context=None):
|
2008-08-23 11:26:01 +08:00
|
|
|
if post_reset_redirect is None:
|
|
|
|
post_reset_redirect = reverse('django.contrib.auth.views.password_reset_done')
|
2008-07-19 07:54:34 +08:00
|
|
|
if request.method == "POST":
|
|
|
|
form = password_reset_form(request.POST)
|
|
|
|
if form.is_valid():
|
2010-12-02 08:43:52 +08:00
|
|
|
opts = {
|
|
|
|
'use_https': request.is_secure(),
|
|
|
|
'token_generator': token_generator,
|
|
|
|
'from_email': from_email,
|
|
|
|
'email_template_name': email_template_name,
|
2011-06-19 19:24:39 +08:00
|
|
|
'subject_template_name': subject_template_name,
|
2010-12-02 08:43:52 +08:00
|
|
|
'request': request,
|
|
|
|
}
|
2006-05-02 09:31:56 +08:00
|
|
|
if is_admin_site:
|
2010-12-02 08:43:52 +08:00
|
|
|
opts = dict(opts, domain_override=request.META['HTTP_HOST'])
|
2008-08-01 04:47:53 +08:00
|
|
|
form.save(**opts)
|
2008-08-23 11:26:01 +08:00
|
|
|
return HttpResponseRedirect(post_reset_redirect)
|
2008-07-19 07:54:34 +08:00
|
|
|
else:
|
|
|
|
form = password_reset_form()
|
2010-12-02 08:43:52 +08:00
|
|
|
context = {
|
2008-07-19 07:54:34 +08:00
|
|
|
'form': form,
|
2010-12-02 08:43:52 +08:00
|
|
|
}
|
2011-04-23 02:17:16 +08:00
|
|
|
if extra_context is not None:
|
|
|
|
context.update(extra_context)
|
|
|
|
return TemplateResponse(request, template_name, context,
|
|
|
|
current_app=current_app)
|
2010-12-02 08:43:52 +08:00
|
|
|
|
|
|
|
def password_reset_done(request,
|
|
|
|
template_name='registration/password_reset_done.html',
|
2010-12-02 08:44:35 +08:00
|
|
|
current_app=None, extra_context=None):
|
2010-12-02 08:43:52 +08:00
|
|
|
context = {}
|
2011-04-23 02:17:16 +08:00
|
|
|
if extra_context is not None:
|
|
|
|
context.update(extra_context)
|
|
|
|
return TemplateResponse(request, template_name, context,
|
|
|
|
current_app=current_app)
|
2006-05-02 09:31:56 +08:00
|
|
|
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 07:23:07 +08:00
|
|
|
# Doesn't need csrf_protect since no-one can guess the URL
|
2011-06-09 06:18:46 +08:00
|
|
|
@sensitive_post_parameters()
|
2010-12-13 06:59:03 +08:00
|
|
|
@never_cache
|
2010-12-02 08:43:52 +08:00
|
|
|
def password_reset_confirm(request, uidb36=None, token=None,
|
|
|
|
template_name='registration/password_reset_confirm.html',
|
|
|
|
token_generator=default_token_generator,
|
|
|
|
set_password_form=SetPasswordForm,
|
|
|
|
post_reset_redirect=None,
|
2010-12-02 08:44:35 +08:00
|
|
|
current_app=None, extra_context=None):
|
2008-08-01 04:47:53 +08:00
|
|
|
"""
|
|
|
|
View that checks the hash in a password reset link and presents a
|
|
|
|
form for entering a new password.
|
|
|
|
"""
|
|
|
|
assert uidb36 is not None and token is not None # checked by URLconf
|
2008-08-23 11:26:01 +08:00
|
|
|
if post_reset_redirect is None:
|
|
|
|
post_reset_redirect = reverse('django.contrib.auth.views.password_reset_complete')
|
2008-08-01 04:47:53 +08:00
|
|
|
try:
|
|
|
|
uid_int = base36_to_int(uidb36)
|
2010-11-04 20:36:55 +08:00
|
|
|
user = User.objects.get(id=uid_int)
|
|
|
|
except (ValueError, User.DoesNotExist):
|
|
|
|
user = None
|
2008-08-01 04:47:53 +08:00
|
|
|
|
2010-11-04 20:36:55 +08:00
|
|
|
if user is not None and token_generator.check_token(user, token):
|
2010-12-02 08:43:52 +08:00
|
|
|
validlink = True
|
2008-08-01 04:47:53 +08:00
|
|
|
if request.method == 'POST':
|
|
|
|
form = set_password_form(user, request.POST)
|
|
|
|
if form.is_valid():
|
|
|
|
form.save()
|
2008-08-23 11:26:01 +08:00
|
|
|
return HttpResponseRedirect(post_reset_redirect)
|
2008-08-01 04:47:53 +08:00
|
|
|
else:
|
|
|
|
form = set_password_form(None)
|
|
|
|
else:
|
2010-12-02 08:43:52 +08:00
|
|
|
validlink = False
|
2008-08-01 04:47:53 +08:00
|
|
|
form = None
|
2010-12-02 08:43:52 +08:00
|
|
|
context = {
|
|
|
|
'form': form,
|
|
|
|
'validlink': validlink,
|
|
|
|
}
|
2011-04-23 02:17:16 +08:00
|
|
|
if extra_context is not None:
|
|
|
|
context.update(extra_context)
|
|
|
|
return TemplateResponse(request, template_name, context,
|
|
|
|
current_app=current_app)
|
2010-12-02 08:43:52 +08:00
|
|
|
|
|
|
|
def password_reset_complete(request,
|
|
|
|
template_name='registration/password_reset_complete.html',
|
2010-12-02 08:44:35 +08:00
|
|
|
current_app=None, extra_context=None):
|
2010-12-02 08:43:52 +08:00
|
|
|
context = {
|
|
|
|
'login_url': settings.LOGIN_URL
|
|
|
|
}
|
2011-04-23 02:17:16 +08:00
|
|
|
if extra_context is not None:
|
|
|
|
context.update(extra_context)
|
|
|
|
return TemplateResponse(request, template_name, context,
|
|
|
|
current_app=current_app)
|
2008-08-01 04:47:53 +08:00
|
|
|
|
2011-06-09 06:18:46 +08:00
|
|
|
@sensitive_post_parameters()
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 07:23:07 +08:00
|
|
|
@csrf_protect
|
|
|
|
@login_required
|
2010-12-02 08:43:52 +08:00
|
|
|
def password_change(request,
|
|
|
|
template_name='registration/password_change_form.html',
|
|
|
|
post_change_redirect=None,
|
|
|
|
password_change_form=PasswordChangeForm,
|
2010-12-02 08:44:35 +08:00
|
|
|
current_app=None, extra_context=None):
|
2008-08-23 11:26:01 +08:00
|
|
|
if post_change_redirect is None:
|
|
|
|
post_change_redirect = reverse('django.contrib.auth.views.password_change_done')
|
2008-07-19 07:54:34 +08:00
|
|
|
if request.method == "POST":
|
2009-10-12 23:32:24 +08:00
|
|
|
form = password_change_form(user=request.user, data=request.POST)
|
2008-07-19 07:54:34 +08:00
|
|
|
if form.is_valid():
|
|
|
|
form.save()
|
2008-08-23 11:26:01 +08:00
|
|
|
return HttpResponseRedirect(post_change_redirect)
|
2008-07-19 07:54:34 +08:00
|
|
|
else:
|
2009-10-12 23:32:24 +08:00
|
|
|
form = password_change_form(user=request.user)
|
2010-12-02 08:43:52 +08:00
|
|
|
context = {
|
2008-07-19 07:54:34 +08:00
|
|
|
'form': form,
|
2010-12-02 08:43:52 +08:00
|
|
|
}
|
2011-04-23 02:17:16 +08:00
|
|
|
if extra_context is not None:
|
|
|
|
context.update(extra_context)
|
|
|
|
return TemplateResponse(request, template_name, context,
|
|
|
|
current_app=current_app)
|
2010-12-02 08:43:52 +08:00
|
|
|
|
2011-06-27 00:51:25 +08:00
|
|
|
@login_required
|
2010-12-02 08:43:52 +08:00
|
|
|
def password_change_done(request,
|
|
|
|
template_name='registration/password_change_done.html',
|
2010-12-02 08:44:35 +08:00
|
|
|
current_app=None, extra_context=None):
|
2010-12-02 08:43:52 +08:00
|
|
|
context = {}
|
2011-04-23 02:17:16 +08:00
|
|
|
if extra_context is not None:
|
|
|
|
context.update(extra_context)
|
|
|
|
return TemplateResponse(request, template_name, context,
|
|
|
|
current_app=current_app)
|