Mercurial > public > src > moin > 1.9

diff MoinMoin/user.py @ 3564:474f6ad01900

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
recoverpass: email password reset token rather than sha1 login: no longer accept sha-1 encoded password directly
author Johannes Berg <johannes AT sipsolutions DOT net>
date Thu, 24 Apr 2008 16:05:04 +0200
parents 928a45b60bb3
children ddf31f2ae8e3
line wrap: on
line diff
--- a/MoinMoin/user.py	Thu Apr 24 15:20:15 2008 +0200
+++ b/MoinMoin/user.py	Thu Apr 24 16:05:04 2008 +0200
@@ -20,12 +20,13 @@
 """
 
 # add names here to hide them in the cgitb traceback
-unsafe_names = ("id", "key", "val", "user_data", "enc_password")
+unsafe_names = ("id", "key", "val", "user_data", "enc_password", "recoverpass_token")
 
 import os, time, sha, codecs
 
 from MoinMoin import config, caching, wikiutil, i18n, events
-from MoinMoin.util import timefuncs, filesys
+from MoinMoin.util import timefuncs, filesys, random_string
+from MoinMoin.wikiutil import url_quote_plus
 
 
 def getUserList(request):
@@ -312,15 +313,14 @@
         for key, label in self._cfg.user_checkbox_fields:
             setattr(self, key, self._cfg.user_checkbox_defaults.get(key, 0))
 
+        self.recoverpass_token = ""
+
         self.enc_password = ""
         if password:
-            if password.startswith('{SHA}'):
-                self.enc_password = password
-            else:
-                try:
-                    self.enc_password = encodePassword(password)
-                except UnicodeError:
-                    pass # Should never happen
+            try:
+                self.enc_password = encodePassword(password)
+            except UnicodeError:
+                pass # Should never happen
 
         #self.edit_cols = 80
         self.tz_offset = int(float(self._cfg.tz_offset) * 3600)
@@ -1025,37 +1025,29 @@
         from MoinMoin.wikiutil import getLocalizedPage
         _ = self._request.getText
 
-        if not self.enc_password: # generate pw if there is none yet
-            from random import randint
-            import base64
-
-            charset = 'utf-8'
-            pwd = "%s%d" % (str(time.time()), randint(0, 65535))
-            pwd = pwd.encode(charset)
-
-            pwd = sha.new(pwd).digest()
-            pwd = '{SHA}%s' % base64.encodestring(pwd).rstrip()
-
-            self.enc_password = pwd
+        if not self.recoverpass_token:
+            self.recoverpass_token = random_string(32, "abcdefghijklmnopqrstuvwxyz0123456789")
             self.save()
 
         text = '\n' + _("""\
 Login Name: %s
 
-Login Password: %s
+Password recovery token: %s
 
-Login URL: %s/?action=login
+Password reset URL: %s/?action=recoverpass&name=%s&token=%s
 """) % (
-                        self.name, self.enc_password, self._request.getBaseURL(), )
+                        self.name,
+                        self.recoverpass_token,
+                        self._request.getBaseURL(),
+                        url_quote_plus(self.name),
+                        self.recoverpass_token, )
 
         text = _("""\
-Somebody has requested to submit your account data to this email address.
+Somebody has requested to email you a password recovery token.
 
-If you lost your password, please use the data below and just enter the
-password AS SHOWN into the wiki's password form field (use copy and paste
-for that).
-
-After successfully logging in, it is of course a good idea to set a new and known password.
+If you lost your password, please go to the password reset URL below or
+go to the password recovery page again and enter your username and the
+recovery token.
 """) + text