2010-03-02 03:58:53 +08:00
|
|
|
import re
|
2010-11-28 06:43:33 +08:00
|
|
|
import urlparse
|
2008-08-02 00:13:12 +08:00
|
|
|
from django.conf import settings
|
2008-06-26 12:11:53 +08:00
|
|
|
from django.contrib.auth import REDIRECT_FIELD_NAME
|
2010-03-02 03:58:53 +08:00
|
|
|
# Avoid shadowing the login() view below.
|
|
|
|
from django.contrib.auth import login as auth_login
|
2008-06-26 12:11:53 +08:00
|
|
|
from django.contrib.auth.decorators import login_required
|
2006-05-02 09:31:56 +08:00
|
|
|
from django.contrib.auth.forms import AuthenticationForm
|
2008-08-16 01:42:13 +08:00
|
|
|
from django.contrib.auth.forms import PasswordResetForm, SetPasswordForm, PasswordChangeForm
|
2008-08-01 04:47:53 +08:00
|
|
|
from django.contrib.auth.tokens import default_token_generator
|
2009-10-27 08:36:34 +08:00
|
|
|
from django.views.decorators.csrf import csrf_protect
|
2008-08-13 07:31:31 +08:00
|
|
|
from django.core.urlresolvers import reverse
|
2008-07-19 07:54:34 +08:00
|
|
|
from django.shortcuts import render_to_response, get_object_or_404
|
Fixed #14386, #8960, #10235, #10909, #10608, #13845, #14377 - standardize Site/RequestSite usage in various places.
Many thanks to gabrielhurley for putting most of this together. Also to
bmihelac, arthurk, qingfeng, hvendelbo, petr.pulc@s-cape.cz, Hraban for
reports and some initial patches.
The patch also contains some whitespace/PEP8 fixes.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13980 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-04 22:20:47 +08:00
|
|
|
from django.contrib.sites.models import get_current_site
|
2010-11-28 06:43:33 +08:00
|
|
|
from django.http import HttpResponseRedirect, Http404, QueryDict
|
2008-06-26 12:11:53 +08:00
|
|
|
from django.template import RequestContext
|
2010-11-28 06:43:33 +08:00
|
|
|
from django.utils.http import base36_to_int
|
Merged Unicode branch into trunk (r4952:5608). This should be fully
backwards compatible for all practical purposes.
Fixed #2391, #2489, #2996, #3322, #3344, #3370, #3406, #3432, #3454, #3492, #3582, #3690, #3878, #3891, #3937, #4039, #4141, #4227, #4286, #4291, #4300, #4452, #4702
git-svn-id: http://code.djangoproject.com/svn/django/trunk@5609 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-07-04 20:11:04 +08:00
|
|
|
from django.utils.translation import ugettext as _
|
2008-07-19 07:54:34 +08:00
|
|
|
from django.contrib.auth.models import User
|
2008-08-16 01:10:14 +08:00
|
|
|
from django.views.decorators.cache import never_cache
|
2006-05-02 09:31:56 +08:00
|
|
|
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 07:23:07 +08:00
|
|
|
@csrf_protect
|
|
|
|
@never_cache
|
2009-10-12 23:32:24 +08:00
|
|
|
def login(request, template_name='registration/login.html',
|
|
|
|
redirect_field_name=REDIRECT_FIELD_NAME,
|
2010-12-02 08:43:52 +08:00
|
|
|
authentication_form=AuthenticationForm,
|
2010-12-02 08:44:35 +08:00
|
|
|
current_app=None, extra_context=None):
|
2010-03-02 03:58:53 +08:00
|
|
|
"""Displays the login form and handles the login action."""
|
|
|
|
|
2007-09-15 03:25:37 +08:00
|
|
|
redirect_to = request.REQUEST.get(redirect_field_name, '')
|
Fixed #14386, #8960, #10235, #10909, #10608, #13845, #14377 - standardize Site/RequestSite usage in various places.
Many thanks to gabrielhurley for putting most of this together. Also to
bmihelac, arthurk, qingfeng, hvendelbo, petr.pulc@s-cape.cz, Hraban for
reports and some initial patches.
The patch also contains some whitespace/PEP8 fixes.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13980 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-04 22:20:47 +08:00
|
|
|
|
2008-07-19 07:54:34 +08:00
|
|
|
if request.method == "POST":
|
2009-10-12 23:32:24 +08:00
|
|
|
form = authentication_form(data=request.POST)
|
2008-07-19 07:54:34 +08:00
|
|
|
if form.is_valid():
|
2010-11-28 06:43:33 +08:00
|
|
|
netloc = urlparse.urlparse(redirect_to)[1]
|
|
|
|
|
2006-05-02 09:31:56 +08:00
|
|
|
# Light security check -- make sure redirect_to isn't garbage.
|
2010-03-02 03:58:53 +08:00
|
|
|
if not redirect_to or ' ' in redirect_to:
|
2007-04-25 16:49:57 +08:00
|
|
|
redirect_to = settings.LOGIN_REDIRECT_URL
|
Fixed #14386, #8960, #10235, #10909, #10608, #13845, #14377 - standardize Site/RequestSite usage in various places.
Many thanks to gabrielhurley for putting most of this together. Also to
bmihelac, arthurk, qingfeng, hvendelbo, petr.pulc@s-cape.cz, Hraban for
reports and some initial patches.
The patch also contains some whitespace/PEP8 fixes.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13980 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-04 22:20:47 +08:00
|
|
|
|
2010-11-28 06:43:33 +08:00
|
|
|
# Heavier security check -- don't allow redirection to a different
|
|
|
|
# host.
|
|
|
|
elif netloc and netloc != request.get_host():
|
|
|
|
redirect_to = settings.LOGIN_REDIRECT_URL
|
Fixed #14386, #8960, #10235, #10909, #10608, #13845, #14377 - standardize Site/RequestSite usage in various places.
Many thanks to gabrielhurley for putting most of this together. Also to
bmihelac, arthurk, qingfeng, hvendelbo, petr.pulc@s-cape.cz, Hraban for
reports and some initial patches.
The patch also contains some whitespace/PEP8 fixes.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13980 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-04 22:20:47 +08:00
|
|
|
|
2010-03-02 03:58:53 +08:00
|
|
|
# Okay, security checks complete. Log the user in.
|
|
|
|
auth_login(request, form.get_user())
|
|
|
|
|
2008-06-19 00:13:14 +08:00
|
|
|
if request.session.test_cookie_worked():
|
|
|
|
request.session.delete_test_cookie()
|
2010-03-02 03:58:53 +08:00
|
|
|
|
2006-05-02 09:31:56 +08:00
|
|
|
return HttpResponseRedirect(redirect_to)
|
|
|
|
else:
|
2009-10-12 23:32:24 +08:00
|
|
|
form = authentication_form(request)
|
Fixed #14386, #8960, #10235, #10909, #10608, #13845, #14377 - standardize Site/RequestSite usage in various places.
Many thanks to gabrielhurley for putting most of this together. Also to
bmihelac, arthurk, qingfeng, hvendelbo, petr.pulc@s-cape.cz, Hraban for
reports and some initial patches.
The patch also contains some whitespace/PEP8 fixes.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13980 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-04 22:20:47 +08:00
|
|
|
|
2006-05-02 09:31:56 +08:00
|
|
|
request.session.set_test_cookie()
|
Fixed #14386, #8960, #10235, #10909, #10608, #13845, #14377 - standardize Site/RequestSite usage in various places.
Many thanks to gabrielhurley for putting most of this together. Also to
bmihelac, arthurk, qingfeng, hvendelbo, petr.pulc@s-cape.cz, Hraban for
reports and some initial patches.
The patch also contains some whitespace/PEP8 fixes.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13980 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-04 22:20:47 +08:00
|
|
|
|
|
|
|
current_site = get_current_site(request)
|
|
|
|
|
2010-12-02 08:43:52 +08:00
|
|
|
context = {
|
2008-07-19 07:54:34 +08:00
|
|
|
'form': form,
|
2007-09-15 03:25:37 +08:00
|
|
|
redirect_field_name: redirect_to,
|
2009-04-02 00:37:48 +08:00
|
|
|
'site': current_site,
|
2007-08-15 06:08:11 +08:00
|
|
|
'site_name': current_site.name,
|
2010-12-02 08:43:52 +08:00
|
|
|
}
|
|
|
|
context.update(extra_context or {})
|
|
|
|
return render_to_response(template_name, context,
|
2010-12-02 08:44:35 +08:00
|
|
|
context_instance=RequestContext(request, current_app=current_app))
|
2010-12-02 08:43:52 +08:00
|
|
|
|
|
|
|
def logout(request, next_page=None,
|
|
|
|
template_name='registration/logged_out.html',
|
|
|
|
redirect_field_name=REDIRECT_FIELD_NAME,
|
2010-12-02 08:44:35 +08:00
|
|
|
current_app=None, extra_context=None):
|
2006-05-02 09:31:56 +08:00
|
|
|
"Logs out the user and displays 'You are logged out' message."
|
2006-06-29 00:37:02 +08:00
|
|
|
from django.contrib.auth import logout
|
2006-07-24 07:14:36 +08:00
|
|
|
logout(request)
|
|
|
|
if next_page is None:
|
2009-04-02 01:02:32 +08:00
|
|
|
redirect_to = request.REQUEST.get(redirect_field_name, '')
|
|
|
|
if redirect_to:
|
|
|
|
return HttpResponseRedirect(redirect_to)
|
|
|
|
else:
|
Fixed #14386, #8960, #10235, #10909, #10608, #13845, #14377 - standardize Site/RequestSite usage in various places.
Many thanks to gabrielhurley for putting most of this together. Also to
bmihelac, arthurk, qingfeng, hvendelbo, petr.pulc@s-cape.cz, Hraban for
reports and some initial patches.
The patch also contains some whitespace/PEP8 fixes.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13980 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-04 22:20:47 +08:00
|
|
|
current_site = get_current_site(request)
|
2010-12-02 08:43:52 +08:00
|
|
|
context = {
|
Fixed #14386, #8960, #10235, #10909, #10608, #13845, #14377 - standardize Site/RequestSite usage in various places.
Many thanks to gabrielhurley for putting most of this together. Also to
bmihelac, arthurk, qingfeng, hvendelbo, petr.pulc@s-cape.cz, Hraban for
reports and some initial patches.
The patch also contains some whitespace/PEP8 fixes.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13980 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-04 22:20:47 +08:00
|
|
|
'site': current_site,
|
|
|
|
'site_name': current_site.name,
|
2009-04-02 01:02:32 +08:00
|
|
|
'title': _('Logged out')
|
2010-12-02 08:43:52 +08:00
|
|
|
}
|
|
|
|
context.update(extra_context or {})
|
|
|
|
return render_to_response(template_name, context,
|
2010-12-02 08:44:35 +08:00
|
|
|
context_instance=RequestContext(request, current_app=current_app))
|
2006-05-02 09:31:56 +08:00
|
|
|
else:
|
|
|
|
# Redirect to this page until the session has been cleared.
|
|
|
|
return HttpResponseRedirect(next_page or request.path)
|
|
|
|
|
2010-12-02 08:44:35 +08:00
|
|
|
def logout_then_login(request, login_url=None, current_app=None, extra_context=None):
|
2006-05-02 09:31:56 +08:00
|
|
|
"Logs out the user if he is logged in. Then redirects to the log-in page."
|
2007-04-25 16:49:57 +08:00
|
|
|
if not login_url:
|
|
|
|
login_url = settings.LOGIN_URL
|
2010-12-02 08:44:35 +08:00
|
|
|
return logout(request, login_url, current_app=current_app, extra_context=extra_context)
|
2006-05-02 09:31:56 +08:00
|
|
|
|
2010-11-28 06:43:33 +08:00
|
|
|
def redirect_to_login(next, login_url=None,
|
|
|
|
redirect_field_name=REDIRECT_FIELD_NAME):
|
2006-05-02 09:31:56 +08:00
|
|
|
"Redirects the user to the login page, passing the given 'next' page"
|
2007-04-25 16:49:57 +08:00
|
|
|
if not login_url:
|
|
|
|
login_url = settings.LOGIN_URL
|
2010-11-28 06:43:33 +08:00
|
|
|
|
|
|
|
login_url_parts = list(urlparse.urlparse(login_url))
|
|
|
|
if redirect_field_name:
|
|
|
|
querystring = QueryDict(login_url_parts[4], mutable=True)
|
|
|
|
querystring[redirect_field_name] = next
|
2010-12-02 06:25:17 +08:00
|
|
|
login_url_parts[4] = querystring.urlencode(safe='/')
|
2010-11-28 06:43:33 +08:00
|
|
|
|
|
|
|
return HttpResponseRedirect(urlparse.urlunparse(login_url_parts))
|
2006-05-02 09:31:56 +08:00
|
|
|
|
2008-08-01 04:47:53 +08:00
|
|
|
# 4 views for password reset:
|
|
|
|
# - password_reset sends the mail
|
|
|
|
# - password_reset_done shows a success message for the above
|
Fixed #14386, #8960, #10235, #10909, #10608, #13845, #14377 - standardize Site/RequestSite usage in various places.
Many thanks to gabrielhurley for putting most of this together. Also to
bmihelac, arthurk, qingfeng, hvendelbo, petr.pulc@s-cape.cz, Hraban for
reports and some initial patches.
The patch also contains some whitespace/PEP8 fixes.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13980 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-04 22:20:47 +08:00
|
|
|
# - password_reset_confirm checks the link the user clicked and
|
2008-08-01 04:47:53 +08:00
|
|
|
# prompts for a new password
|
|
|
|
# - password_reset_complete shows a success message for the above
|
|
|
|
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 07:23:07 +08:00
|
|
|
@csrf_protect
|
2010-12-02 08:43:52 +08:00
|
|
|
def password_reset(request, is_admin_site=False,
|
|
|
|
template_name='registration/password_reset_form.html',
|
|
|
|
email_template_name='registration/password_reset_email.html',
|
|
|
|
password_reset_form=PasswordResetForm,
|
|
|
|
token_generator=default_token_generator,
|
|
|
|
post_reset_redirect=None,
|
|
|
|
from_email=None,
|
2010-12-02 08:44:35 +08:00
|
|
|
current_app=None,
|
2010-12-02 08:43:52 +08:00
|
|
|
extra_context=None):
|
2008-08-23 11:26:01 +08:00
|
|
|
if post_reset_redirect is None:
|
|
|
|
post_reset_redirect = reverse('django.contrib.auth.views.password_reset_done')
|
2008-07-19 07:54:34 +08:00
|
|
|
if request.method == "POST":
|
|
|
|
form = password_reset_form(request.POST)
|
|
|
|
if form.is_valid():
|
2010-12-02 08:43:52 +08:00
|
|
|
opts = {
|
|
|
|
'use_https': request.is_secure(),
|
|
|
|
'token_generator': token_generator,
|
|
|
|
'from_email': from_email,
|
|
|
|
'email_template_name': email_template_name,
|
|
|
|
'request': request,
|
|
|
|
}
|
2006-05-02 09:31:56 +08:00
|
|
|
if is_admin_site:
|
2010-12-02 08:43:52 +08:00
|
|
|
opts = dict(opts, domain_override=request.META['HTTP_HOST'])
|
2008-08-01 04:47:53 +08:00
|
|
|
form.save(**opts)
|
2008-08-23 11:26:01 +08:00
|
|
|
return HttpResponseRedirect(post_reset_redirect)
|
2008-07-19 07:54:34 +08:00
|
|
|
else:
|
|
|
|
form = password_reset_form()
|
2010-12-02 08:43:52 +08:00
|
|
|
context = {
|
2008-07-19 07:54:34 +08:00
|
|
|
'form': form,
|
2010-12-02 08:43:52 +08:00
|
|
|
}
|
|
|
|
context.update(extra_context or {})
|
|
|
|
return render_to_response(template_name, context,
|
2010-12-02 08:44:35 +08:00
|
|
|
context_instance=RequestContext(request, current_app=current_app))
|
2010-12-02 08:43:52 +08:00
|
|
|
|
|
|
|
def password_reset_done(request,
|
|
|
|
template_name='registration/password_reset_done.html',
|
2010-12-02 08:44:35 +08:00
|
|
|
current_app=None, extra_context=None):
|
2010-12-02 08:43:52 +08:00
|
|
|
context = {}
|
|
|
|
context.update(extra_context or {})
|
|
|
|
return render_to_response(template_name, context,
|
2010-12-02 08:44:35 +08:00
|
|
|
context_instance=RequestContext(request, current_app=current_app))
|
2006-05-02 09:31:56 +08:00
|
|
|
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 07:23:07 +08:00
|
|
|
# Doesn't need csrf_protect since no-one can guess the URL
|
2010-12-13 06:59:03 +08:00
|
|
|
@never_cache
|
2010-12-02 08:43:52 +08:00
|
|
|
def password_reset_confirm(request, uidb36=None, token=None,
|
|
|
|
template_name='registration/password_reset_confirm.html',
|
|
|
|
token_generator=default_token_generator,
|
|
|
|
set_password_form=SetPasswordForm,
|
|
|
|
post_reset_redirect=None,
|
2010-12-02 08:44:35 +08:00
|
|
|
current_app=None, extra_context=None):
|
2008-08-01 04:47:53 +08:00
|
|
|
"""
|
|
|
|
View that checks the hash in a password reset link and presents a
|
|
|
|
form for entering a new password.
|
|
|
|
"""
|
|
|
|
assert uidb36 is not None and token is not None # checked by URLconf
|
2008-08-23 11:26:01 +08:00
|
|
|
if post_reset_redirect is None:
|
|
|
|
post_reset_redirect = reverse('django.contrib.auth.views.password_reset_complete')
|
2008-08-01 04:47:53 +08:00
|
|
|
try:
|
|
|
|
uid_int = base36_to_int(uidb36)
|
2010-11-04 20:36:55 +08:00
|
|
|
user = User.objects.get(id=uid_int)
|
|
|
|
except (ValueError, User.DoesNotExist):
|
|
|
|
user = None
|
2008-08-01 04:47:53 +08:00
|
|
|
|
2010-11-04 20:36:55 +08:00
|
|
|
if user is not None and token_generator.check_token(user, token):
|
2010-12-02 08:43:52 +08:00
|
|
|
validlink = True
|
2008-08-01 04:47:53 +08:00
|
|
|
if request.method == 'POST':
|
|
|
|
form = set_password_form(user, request.POST)
|
|
|
|
if form.is_valid():
|
|
|
|
form.save()
|
2008-08-23 11:26:01 +08:00
|
|
|
return HttpResponseRedirect(post_reset_redirect)
|
2008-08-01 04:47:53 +08:00
|
|
|
else:
|
|
|
|
form = set_password_form(None)
|
|
|
|
else:
|
2010-12-02 08:43:52 +08:00
|
|
|
validlink = False
|
2008-08-01 04:47:53 +08:00
|
|
|
form = None
|
2010-12-02 08:43:52 +08:00
|
|
|
context = {
|
|
|
|
'form': form,
|
|
|
|
'validlink': validlink,
|
|
|
|
}
|
|
|
|
context.update(extra_context or {})
|
|
|
|
return render_to_response(template_name, context,
|
2010-12-02 08:44:35 +08:00
|
|
|
context_instance=RequestContext(request, current_app=current_app))
|
2010-12-02 08:43:52 +08:00
|
|
|
|
|
|
|
def password_reset_complete(request,
|
|
|
|
template_name='registration/password_reset_complete.html',
|
2010-12-02 08:44:35 +08:00
|
|
|
current_app=None, extra_context=None):
|
2010-12-02 08:43:52 +08:00
|
|
|
context = {
|
|
|
|
'login_url': settings.LOGIN_URL
|
|
|
|
}
|
|
|
|
context.update(extra_context or {})
|
|
|
|
return render_to_response(template_name, context,
|
2010-12-02 08:44:35 +08:00
|
|
|
context_instance=RequestContext(request, current_app=current_app))
|
2008-08-01 04:47:53 +08:00
|
|
|
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 07:23:07 +08:00
|
|
|
@csrf_protect
|
|
|
|
@login_required
|
2010-12-02 08:43:52 +08:00
|
|
|
def password_change(request,
|
|
|
|
template_name='registration/password_change_form.html',
|
|
|
|
post_change_redirect=None,
|
|
|
|
password_change_form=PasswordChangeForm,
|
2010-12-02 08:44:35 +08:00
|
|
|
current_app=None, extra_context=None):
|
2008-08-23 11:26:01 +08:00
|
|
|
if post_change_redirect is None:
|
|
|
|
post_change_redirect = reverse('django.contrib.auth.views.password_change_done')
|
2008-07-19 07:54:34 +08:00
|
|
|
if request.method == "POST":
|
2009-10-12 23:32:24 +08:00
|
|
|
form = password_change_form(user=request.user, data=request.POST)
|
2008-07-19 07:54:34 +08:00
|
|
|
if form.is_valid():
|
|
|
|
form.save()
|
2008-08-23 11:26:01 +08:00
|
|
|
return HttpResponseRedirect(post_change_redirect)
|
2008-07-19 07:54:34 +08:00
|
|
|
else:
|
2009-10-12 23:32:24 +08:00
|
|
|
form = password_change_form(user=request.user)
|
2010-12-02 08:43:52 +08:00
|
|
|
context = {
|
2008-07-19 07:54:34 +08:00
|
|
|
'form': form,
|
2010-12-02 08:43:52 +08:00
|
|
|
}
|
|
|
|
context.update(extra_context or {})
|
|
|
|
return render_to_response(template_name, context,
|
2010-12-02 08:44:35 +08:00
|
|
|
context_instance=RequestContext(request, current_app=current_app))
|
2010-12-02 08:43:52 +08:00
|
|
|
|
|
|
|
def password_change_done(request,
|
|
|
|
template_name='registration/password_change_done.html',
|
2010-12-02 08:44:35 +08:00
|
|
|
current_app=None, extra_context=None):
|
2010-12-02 08:43:52 +08:00
|
|
|
context = {}
|
|
|
|
context.update(extra_context or {})
|
|
|
|
return render_to_response(template_name, context,
|
2010-12-02 08:44:35 +08:00
|
|
|
context_instance=RequestContext(request, current_app=current_app))
|