On 08/08/2015 05:25 PM, Andrew Shadura wrote:
@@ -278,27 +307,65 @@ class UserModel(BaseModel):
user_email = data['email']
user = User.get_by_email(user_email)
+ timestamp = int(time.time())
if user is not None:
- log.debug('password reset user found %s' % user)
+ log.debug('password reset user %s found', user)
+ token = self.reset_password_token(user,
+ timestamp,
+ h.authentication_token)
link = h.canonical_url('reset_password_confirmation',
- key=user.api_key)
+ email=user_email,
+ timestamp=timestamp,
+ token=token)
reg_type = EmailNotificationModel.TYPE_PASSWORD_RESET
body = EmailNotificationModel().get_email_tmpl(
reg_type, 'txt',
user=user.short_contact,
+ reset_token=token,
reset_url=link)
html_body = EmailNotificationModel().get_email_tmpl(
reg_type, 'html',
user=user.short_contact,
+ reset_token=token,
reset_url=link)
log.debug('sending email')
run_task(tasks.send_email, [user_email],
_("Password reset link"), body, html_body)
- log.info('send new password mail to %s' % user_email)
+ log.info('send new password mail to %s', user_email)
else:
- log.debug("password reset email %s not found" % user_email)
+ log.debug("password reset email %s not found", user_email)
- return True
+ return h.canonical_url('reset_password_confirmation',
+ email=user_email,
+ timestamp=timestamp)
Here and above: It shouldn't use canonical_url, just a normal url.
If a site has multiple names/addresses, it is important that the URL
points at the current name. If it points at another (canonical)
location, the session id will be different and the link is not useful.
(The UI should perhaps also mention that it is important that the
verification token from the mail must be used in the same browser
session as it was requested in.)
/Mads
_______________________________________________
kallithea-general mailing list
[email protected]
http://lists.sfconservancy.org/mailman/listinfo/kallithea-general
