From 2a994716a1103be3a8da07a0a625cae7a1b38a13 Mon Sep 17 00:00:00 2001 From: Jacob Kaplan-Moss Date: Wed, 1 Apr 2009 21:25:24 +0000 Subject: [PATCH] Fixed #10265: fixed a bug when generating a password reset token for a user created on the same request. Thanks, crucialfelix. git-svn-id: http://code.djangoproject.com/svn/django/trunk@10341 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/contrib/auth/tests/tokens.py | 8 ++++++++ django/contrib/auth/tokens.py | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/django/contrib/auth/tests/tokens.py b/django/contrib/auth/tests/tokens.py index 6d3a964fe7..03cc1e3c11 100644 --- a/django/contrib/auth/tests/tokens.py +++ b/django/contrib/auth/tests/tokens.py @@ -8,6 +8,14 @@ TOKEN_GENERATOR_TESTS = """ >>> p0.check_token(u, tk1) True +>>> u = User.objects.create_user('comebackkid', 'test3@example.com', 'testpw') +>>> p0 = PasswordResetTokenGenerator() +>>> tk1 = p0.make_token(u) +>>> reload = User.objects.get(username='comebackkid') +>>> tk2 = p0.make_token(reload) +>>> tk1 == tk2 +True + Tests to ensure we can use the token after n days, but no greater. Use a mocked version of PasswordResetTokenGenerator so we can change the value of 'today' diff --git a/django/contrib/auth/tokens.py b/django/contrib/auth/tokens.py index b5704dda34..f61f52d903 100644 --- a/django/contrib/auth/tokens.py +++ b/django/contrib/auth/tokens.py @@ -52,7 +52,7 @@ class PasswordResetTokenGenerator(object): # We limit the hash to 20 chars to keep URL short from django.utils.hashcompat import sha_constructor hash = sha_constructor(settings.SECRET_KEY + unicode(user.id) + - user.password + unicode(user.last_login) + + user.password + user.last_login.strftime('%Y-%m-%d %H:%M:%S') + unicode(timestamp)).hexdigest()[::2] return "%s-%s" % (ts_b36, hash)