Please mark this as "Best Answer". It uses web2py's internal password
reset mechanism. Just gave it a fairly thorough testing. I really
appreciate the people who gave help in this thread and a couple others
about resetting passwords. This should mostly suffice until we get a real
solution (though I make no strong statement about security).
*views/default/reset_password.html*
{{=form}}
*default.py [Include this somewhere under def user()]*
if request.args[0] == 'request_reset_password':
redirect(URL('default','reset_password'))
*default.py*
def reset_password():
# EXP: Import UUID module from gluon.
from gluon.utils import web2py_uuid
# EXP: Define variables.
# NOTE: No idea how long this is... and any shorter number breaks it, I
think...
max_time = 100000000000
# EXP: Create a form that will return "E-mail Address Unknown" if the email
can't be found.
form = SQLFORM.factory(
Field('email', requires = [IS_EMAIL(error_message='Email Address Unknown'),
IS_IN_DB(db, 'auth_user.email', error_message='Email Address Unknown')]))
# EXP: If the email address is valid, process a password reset email.
if form.process().accepted:
# EXP: Find the user whose email matches the request.
user = db(db.auth_user.email == form.vars.email).select().first()
# EXP: Generate a one-time key to allow password reset. Web2py's uuid
method allows duplication across instances.
reset_password_key = str(int(max_time)) + '-' + web2py_uuid()
# TODO: Find a way to encrypt the key before uploading it to DB that works
with web2py's internal password reset system.
user.update_record(reset_password_key = reset_password_key)
# EXP: Send an email with a password reset link to the entered email
address.
message = '<html> <h3>Retrieve your password for Trytha.com</h3> <p>Please
use the link below to reset your password.</p> <p> <a href="' +
str(URL('user', 'reset_password', vars=dict(key=reset_password_key),
scheme='https', host=True)) + '">Reset Password</a></p> <p>If you did not
initiate this password reset, please ignore this email.</p> </html>'
mail.send(to = [user.email],
subject = 'Reset your password at Trytha.com',
message = message)
session.flash = 'Email sent'
# # TODO: Forward to login page with forward_page variable.
redirect(URL('default','index'))
elif form.errors:
response.flash = 'Wrong E-mail Address'
return dict(form=form)
On Friday, April 14, 2017 at 12:13:10 AM UTC-7, Jacinto Parga wrote:
>
> Yes it is easy to change anyone password, but you still have to access to
> his/hers email to set the final password. Anyway it is not the right
> solution. There was no problem with 2.13 versions.
>
>
>
> El viernes, 14 de abril de 2017, 0:55:50 (UTC+2), [email protected]
> escribió:
>>
>> Can we not get a real solution to this? I was gonna try the posted hack,
>> but it can be too easily abused (it changes the user's password instead of
>> using a password_reset token, so anyone could change your password just by
>> knowing your email address).
>>
>> On Friday, April 7, 2017 at 7:28:48 PM UTC-7, [email protected] wrote:
>>>
>>> Thanks for bringing this issue back up and posting a workaround.
>>>
>>> The worst part is the way to fix this is probably about as easy as
>>> wrapping something in "str()", just need to know how the web2py internals
>>> all link together.
>>>
>>> On Thursday, April 6, 2017 at 4:51:17 AM UTC-7, Karoly Kantor wrote:
>>>>
>>>> Thanks, this helped, i am now using my own function to send the
>>>> password reset email.
>>>>
>>>> On Friday, March 31, 2017 at 2:51:03 PM UTC+2, Jacinto Parga wrote:
>>>>>
>>>>> Yes, still unresolved.
>>>>>
>>>>> I did a workaround for the request_reset_password:
>>>>>
>>>>> def user():
>>>>> if request.args(0)=='request_reset_password':
>>>>> redirect(URL('default','myrequestpass'))
>>>>> return dict(form=auth())
>>>>>
>>>>> def myrequestpass():
>>>>> form = SQLFORM.factory(
>>>>> Field('u_email', requires =[IS_EMAIL(error_message='Wrong
>>>>> email'), IS_IN_DB(db, 'auth_user.email', error_message='Address not in
>>>>> DB')]),
>>>>> table_name='solicitar_pass')
>>>>> if form.process().accepted:
>>>>> user =
>>>>> db(db.auth_user.email==form.vars.u_email).select().first()
>>>>> session.flash = 'Comprueba tu correo '+str(user.first_name)
>>>>> u_passwd = str(hex(int(time.time())))[2:]
>>>>>
>>>>> user.update_record(password=CRYPT()(u_passwd.encode('utf8'))[0])
>>>>> mensaje='<html> <h4>Retrieve your password</h4> Temporal
>>>>> password : <strong> '+ u_passwd +' </strong> <p> Login with the
>>>>> temporal
>>>>> password and set your new password in this link :</p><p><a href="
>>>>> https://yoursite.com/user/login?_next=/user/change_password";>Change
>>>>> Password</a></p><br></html>''
>>>>> mail.send(to=[form.vars.u_email],
>>>>> subject='Change your password, follow this link',
>>>>> message=mensaje)
>>>>> redirect(URL('default','index'))
>>>>> elif form.errors:
>>>>> response.flash = 'Wrong Email address'
>>>>> return dict(form=form)
>>>>>
>>>>>
>>>>> But anyway the lazyT found is an annoying error width, for instance:
>>>>> auth.settings.auth_two_factor_enabled = True
>>>>>
>>>>>
>>>>> El jueves, 30 de marzo de 2017, 8:13:06 (UTC+2), Karoly Kantor
>>>>> escribió:
>>>>>>
>>>>>> As the issue is still unresolved, i have unchecked the "no action
>>>>>> needed" flag on this topic. Any help would be appreciated. Thank you.
>>>>>>
>>>>>> On Thursday, March 30, 2017 at 6:33:07 AM UTC+2, Karoly Kantor wrote:
>>>>>>>
>>>>>>> This issue still seems to be unsolved. I have a fresh installation
>>>>>>> on GAE, reset password emails fail due to "need string or buffer,
>>>>>>> lazyT found"
>>>>>>>
>>>>>>> Is there something I can do?
>>>>>>>
>>>>>>> Thanks.
>>>>>>>
>>>>>>> On Friday, July 29, 2016 at 7:49:14 AM UTC+2, [email protected]
>>>>>>> wrote:
>>>>>>>>
>>>>>>>> I just uploaded an updated version of web2py to my server,
>>>>>>>> replacing a much older version (likely 2.12.2), and now it won't send
>>>>>>>> password recovery emails. The error in the logs is:
>>>>>>>>
>>>>>>>> Mail.send failure:coercing to Unicode: need string or buffer,
>>>>>>>> lazyT found
>>>>>>>>
>>>>>>>> This suggests to me that somehow a string is not properly being
>>>>>>>> passed. I gather that lazyT has something to do with the built-in
>>>>>>>> translation capabilities of web2py? Probably don't need to be
>>>>>>>> translating
>>>>>>>> email addresses (though I guess it could be trying to translate the
>>>>>>>> recovery message). Either way, GAE wants nothing to do with it.
>>>>>>>>
>>>>>>>> How can I fix this?
>>>>>>>>
>>>>>>>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
