import functools import warnings from django.conf import settings # Avoid shadowing the login() and logout() views below. from django.contrib.auth import ( REDIRECT_FIELD_NAME, get_user_model, login as auth_login, logout as auth_logout, update_session_auth_hash, ) from django.contrib.auth.decorators import login_required from django.contrib.auth.forms import ( AuthenticationForm, PasswordChangeForm, PasswordResetForm, SetPasswordForm, ) from django.contrib.auth.tokens import default_token_generator from django.contrib.sites.shortcuts import get_current_site from django.core.urlresolvers import reverse from django.http import HttpResponseRedirect, QueryDict from django.shortcuts import resolve_url from django.template.response import TemplateResponse from django.utils.deprecation import ( RemovedInDjango20Warning, RemovedInDjango110Warning, ) from django.utils.encoding import force_text from django.utils.http import is_safe_url, urlsafe_base64_decode from django.utils.six.moves.urllib.parse import urlparse, urlunparse from django.utils.translation import ugettext as _ from django.views.decorators.cache import never_cache from django.views.decorators.csrf import csrf_protect from django.views.decorators.debug import sensitive_post_parameters def deprecate_current_app(func): """ Handle deprecation of the current_app parameter of the views. """ @functools.wraps(func) def inner(*args, **kwargs): if 'current_app' in kwargs: warnings.warn( "Passing `current_app` as a keyword argument is deprecated. " "Instead the caller of `{0}` should set " "`request.current_app`.".format(func.__name__), RemovedInDjango20Warning ) current_app = kwargs.pop('current_app') request = kwargs.get('request', None) if request and current_app is not None: request.current_app = current_app return func(*args, **kwargs) return inner @deprecate_current_app @sensitive_post_parameters() @csrf_protect @never_cache def login(request, template_name='registration/login.html', redirect_field_name=REDIRECT_FIELD_NAME, authentication_form=AuthenticationForm, extra_context=None): """ Displays the login form and handles the login action. """ redirect_to = request.POST.get(redirect_field_name, request.GET.get(redirect_field_name, '')) if request.method == "POST": form = authentication_form(request, data=request.POST) if form.is_valid(): # Ensure the user-originating redirection url is safe. if not is_safe_url(url=redirect_to, host=request.get_host()): redirect_to = resolve_url(settings.LOGIN_REDIRECT_URL) # Okay, security check complete. Log the user in. auth_login(request, form.get_user()) return HttpResponseRedirect(redirect_to) else: form = authentication_form(request) current_site = get_current_site(request) context = { 'form': form, redirect_field_name: redirect_to, 'site': current_site, 'site_name': current_site.name, } if extra_context is not None: context.update(extra_context) return TemplateResponse(request, template_name, context) @deprecate_current_app def logout(request, next_page=None, template_name='registration/logged_out.html', redirect_field_name=REDIRECT_FIELD_NAME, extra_context=None): """ Logs out the user and displays 'You are logged out' message. """ auth_logout(request) if next_page is not None: next_page = resolve_url(next_page) if (redirect_field_name in request.POST or redirect_field_name in request.GET): next_page = request.POST.get(redirect_field_name, request.GET.get(redirect_field_name)) # Security check -- don't allow redirection to a different host. if not is_safe_url(url=next_page, host=request.get_host()): next_page = request.path if next_page: # Redirect to this page until the session has been cleared. return HttpResponseRedirect(next_page) current_site = get_current_site(request) context = { 'site': current_site, 'site_name': current_site.name, 'title': _('Logged out') } if extra_context is not None: context.update(extra_context) return TemplateResponse(request, template_name, context) @deprecate_current_app def logout_then_login(request, login_url=None, extra_context=None): """ Logs out the user if they are logged in. Then redirects to the log-in page. """ if not login_url: login_url = settings.LOGIN_URL login_url = resolve_url(login_url) return logout(request, login_url, extra_context=extra_context) def redirect_to_login(next, login_url=None, redirect_field_name=REDIRECT_FIELD_NAME): """ Redirects the user to the login page, passing the given 'next' page """ resolved_url = resolve_url(login_url or settings.LOGIN_URL) login_url_parts = list(urlparse(resolved_url)) if redirect_field_name: querystring = QueryDict(login_url_parts[4], mutable=True) querystring[redirect_field_name] = next login_url_parts[4] = querystring.urlencode(safe='/') return HttpResponseRedirect(urlunparse(login_url_parts)) # 4 views for password reset: # - password_reset sends the mail # - password_reset_done shows a success message for the above # - password_reset_confirm checks the link the user clicked and # prompts for a new password # - password_reset_complete shows a success message for the above @deprecate_current_app @csrf_protect def password_reset(request, is_admin_site=False, template_name='registration/password_reset_form.html', email_template_name='registration/password_reset_email.html', subject_template_name='registration/password_reset_subject.txt', password_reset_form=PasswordResetForm, token_generator=default_token_generator, post_reset_redirect=None, from_email=None, extra_context=None, html_email_template_name=None): if post_reset_redirect is None: post_reset_redirect = reverse('password_reset_done') else: post_reset_redirect = resolve_url(post_reset_redirect) if request.method == "POST": form = password_reset_form(request.POST) if form.is_valid(): opts = { 'use_https': request.is_secure(), 'token_generator': token_generator, 'from_email': from_email, 'email_template_name': email_template_name, 'subject_template_name': subject_template_name, 'request': request, 'html_email_template_name': html_email_template_name, } if is_admin_site: warnings.warn( "The is_admin_site argument to " "django.contrib.auth.views.password_reset() is deprecated " "and will be removed in Django 1.10.", RemovedInDjango110Warning, 3 ) opts = dict(opts, domain_override=request.get_host()) form.save(**opts) return HttpResponseRedirect(post_reset_redirect) else: form = password_reset_form() context = { 'form': form, 'title': _('Password reset'), } if extra_context is not None: context.update(extra_context) return TemplateResponse(request, template_name, context) @deprecate_current_app def password_reset_done(request, template_name='registration/password_reset_done.html', extra_context=None): context = { 'title': _('Password reset sent'), } if extra_context is not None: context.update(extra_context) return TemplateResponse(request, template_name, context) # Doesn't need csrf_protect since no-one can guess the URL @sensitive_post_parameters() @never_cache @deprecate_current_app def password_reset_confirm(request, uidb64=None, token=None, template_name='registration/password_reset_confirm.html', token_generator=default_token_generator, set_password_form=SetPasswordForm, post_reset_redirect=None, extra_context=None): """ View that checks the hash in a password reset link and presents a form for entering a new password. """ UserModel = get_user_model() assert uidb64 is not None and token is not None # checked by URLconf if post_reset_redirect is None: post_reset_redirect = reverse('password_reset_complete') else: post_reset_redirect = resolve_url(post_reset_redirect) try: # urlsafe_base64_decode() decodes to bytestring on Python 3 uid = force_text(urlsafe_base64_decode(uidb64)) user = UserModel._default_manager.get(pk=uid) except (TypeError, ValueError, OverflowError, UserModel.DoesNotExist): user = None if user is not None and token_generator.check_token(user, token): validlink = True title = _('Enter new password') if request.method == 'POST': form = set_password_form(user, request.POST) if form.is_valid(): form.save() return HttpResponseRedirect(post_reset_redirect) else: form = set_password_form(user) else: validlink = False form = None title = _('Password reset unsuccessful') context = { 'form': form, 'title': title, 'validlink': validlink, } if extra_context is not None: context.update(extra_context) return TemplateResponse(request, template_name, context) @deprecate_current_app def password_reset_complete(request, template_name='registration/password_reset_complete.html', extra_context=None): context = { 'login_url': resolve_url(settings.LOGIN_URL), 'title': _('Password reset complete'), } if extra_context is not None: context.update(extra_context) return TemplateResponse(request, template_name, context) @sensitive_post_parameters() @csrf_protect @login_required @deprecate_current_app def password_change(request, template_name='registration/password_change_form.html', post_change_redirect=None, password_change_form=PasswordChangeForm, extra_context=None): if post_change_redirect is None: post_change_redirect = reverse('password_change_done') else: post_change_redirect = resolve_url(post_change_redirect) if request.method == "POST": form = password_change_form(user=request.user, data=request.POST) if form.is_valid(): form.save() # Updating the password logs out all other sessions for the user # except the current one if # django.contrib.auth.middleware.SessionAuthenticationMiddleware # is enabled. update_session_auth_hash(request, form.user) return HttpResponseRedirect(post_change_redirect) else: form = password_change_form(user=request.user) context = { 'form': form, 'title': _('Password change'), } if extra_context is not None: context.update(extra_context) return TemplateResponse(request, template_name, context) @login_required @deprecate_current_app def password_change_done(request, template_name='registration/password_change_done.html', extra_context=None): context = { 'title': _('Password change successful'), } if extra_context is not None: context.update(extra_context) return TemplateResponse(request, template_name, context)