|
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394 |
- import warnings
- from urllib.parse import urlparse, urlunparse
-
- from django.conf import settings
-
- # Avoid shadowing the login() and logout() views below.
- from django.contrib.auth import REDIRECT_FIELD_NAME, get_user_model
- from django.contrib.auth import login as auth_login
- from django.contrib.auth import logout as auth_logout
- from django.contrib.auth import update_session_auth_hash
- from django.contrib.auth.decorators import login_required
- from django.contrib.auth.forms import (
- AuthenticationForm,
- PasswordChangeForm,
- PasswordResetForm,
- SetPasswordForm,
- )
- from django.contrib.auth.tokens import default_token_generator
- from django.contrib.sites.shortcuts import get_current_site
- from django.core.exceptions import ImproperlyConfigured, ValidationError
- from django.http import HttpResponseRedirect, QueryDict
- from django.shortcuts import resolve_url
- from django.urls import reverse_lazy
- from django.utils.decorators import method_decorator
- from django.utils.deprecation import RemovedInDjango50Warning
- from django.utils.http import url_has_allowed_host_and_scheme, urlsafe_base64_decode
- from django.utils.translation import gettext_lazy as _
- from django.views.decorators.cache import never_cache
- from django.views.decorators.csrf import csrf_protect
- from django.views.decorators.debug import sensitive_post_parameters
- from django.views.generic.base import TemplateView
- from django.views.generic.edit import FormView
-
- UserModel = get_user_model()
-
-
- class RedirectURLMixin:
- next_page = None
- redirect_field_name = REDIRECT_FIELD_NAME
- success_url_allowed_hosts = set()
-
- def get_success_url(self):
- return self.get_redirect_url() or self.get_default_redirect_url()
-
- def get_redirect_url(self):
- """Return the user-originating redirect URL if it's safe."""
- redirect_to = self.request.POST.get(
- self.redirect_field_name, self.request.GET.get(self.redirect_field_name)
- )
- url_is_safe = url_has_allowed_host_and_scheme(
- url=redirect_to,
- allowed_hosts=self.get_success_url_allowed_hosts(),
- require_https=self.request.is_secure(),
- )
- return redirect_to if url_is_safe else ""
-
- def get_success_url_allowed_hosts(self):
- return {self.request.get_host(), *self.success_url_allowed_hosts}
-
- def get_default_redirect_url(self):
- """Return the default redirect URL."""
- if self.next_page:
- return resolve_url(self.next_page)
- raise ImproperlyConfigured("No URL to redirect to. Provide a next_page.")
-
-
- class LoginView(RedirectURLMixin, FormView):
- """
- Display the login form and handle the login action.
- """
-
- form_class = AuthenticationForm
- authentication_form = None
- template_name = "registration/login.html"
- redirect_authenticated_user = False
- extra_context = None
-
- @method_decorator(sensitive_post_parameters())
- @method_decorator(csrf_protect)
- @method_decorator(never_cache)
- def dispatch(self, request, *args, **kwargs):
- if self.redirect_authenticated_user and self.request.user.is_authenticated:
- redirect_to = self.get_success_url()
- if redirect_to == self.request.path:
- raise ValueError(
- "Redirection loop for authenticated user detected. Check that "
- "your LOGIN_REDIRECT_URL doesn't point to a login page."
- )
- return HttpResponseRedirect(redirect_to)
- return super().dispatch(request, *args, **kwargs)
-
- def get_default_redirect_url(self):
- """Return the default redirect URL."""
- if self.next_page:
- return resolve_url(self.next_page)
- else:
- return resolve_url(settings.LOGIN_REDIRECT_URL)
-
- def get_form_class(self):
- return self.authentication_form or self.form_class
-
- def get_form_kwargs(self):
- kwargs = super().get_form_kwargs()
- kwargs["request"] = self.request
- return kwargs
-
- def form_valid(self, form):
- """Security check complete. Log the user in."""
- auth_login(self.request, form.get_user())
- return HttpResponseRedirect(self.get_success_url())
-
- def get_context_data(self, **kwargs):
- context = super().get_context_data(**kwargs)
- current_site = get_current_site(self.request)
- context.update(
- {
- self.redirect_field_name: self.get_redirect_url(),
- "site": current_site,
- "site_name": current_site.name,
- **(self.extra_context or {}),
- }
- )
- return context
-
-
- class LogoutView(RedirectURLMixin, TemplateView):
- """
- Log out the user and display the 'You are logged out' message.
- """
-
- # RemovedInDjango50Warning: when the deprecation ends, remove "get" and
- # "head" from http_method_names.
- http_method_names = ["get", "head", "post", "options"]
- template_name = "registration/logged_out.html"
- extra_context = None
-
- # RemovedInDjango50Warning: when the deprecation ends, move
- # @method_decorator(csrf_protect) from post() to dispatch().
- @method_decorator(never_cache)
- def dispatch(self, request, *args, **kwargs):
- if request.method.lower() == "get":
- warnings.warn(
- "Log out via GET requests is deprecated and will be removed in Django "
- "5.0. Use POST requests for logging out.",
- RemovedInDjango50Warning,
- )
- return super().dispatch(request, *args, **kwargs)
-
- @method_decorator(csrf_protect)
- def post(self, request, *args, **kwargs):
- """Logout may be done via POST."""
- auth_logout(request)
- redirect_to = self.get_success_url()
- if redirect_to != request.get_full_path():
- # Redirect to target page once the session has been cleared.
- return HttpResponseRedirect(redirect_to)
- return super().get(request, *args, **kwargs)
-
- # RemovedInDjango50Warning.
- get = post
-
- def get_default_redirect_url(self):
- """Return the default redirect URL."""
- if self.next_page:
- return resolve_url(self.next_page)
- elif settings.LOGOUT_REDIRECT_URL:
- return resolve_url(settings.LOGOUT_REDIRECT_URL)
- else:
- return self.request.path
-
- def get_context_data(self, **kwargs):
- context = super().get_context_data(**kwargs)
- current_site = get_current_site(self.request)
- context.update(
- {
- "site": current_site,
- "site_name": current_site.name,
- "title": _("Logged out"),
- "subtitle": None,
- **(self.extra_context or {}),
- }
- )
- return context
-
-
- def logout_then_login(request, login_url=None):
- """
- Log out the user if they are logged in. Then redirect to the login page.
- """
- login_url = resolve_url(login_url or settings.LOGIN_URL)
- return LogoutView.as_view(next_page=login_url)(request)
-
-
- def redirect_to_login(next, login_url=None, redirect_field_name=REDIRECT_FIELD_NAME):
- """
- Redirect the user to the login page, passing the given 'next' page.
- """
- resolved_url = resolve_url(login_url or settings.LOGIN_URL)
-
- login_url_parts = list(urlparse(resolved_url))
- if redirect_field_name:
- querystring = QueryDict(login_url_parts[4], mutable=True)
- querystring[redirect_field_name] = next
- login_url_parts[4] = querystring.urlencode(safe="/")
-
- return HttpResponseRedirect(urlunparse(login_url_parts))
-
-
- # Class-based password reset views
- # - PasswordResetView sends the mail
- # - PasswordResetDoneView shows a success message for the above
- # - PasswordResetConfirmView checks the link the user clicked and
- # prompts for a new password
- # - PasswordResetCompleteView shows a success message for the above
-
-
- class PasswordContextMixin:
- extra_context = None
-
- def get_context_data(self, **kwargs):
- context = super().get_context_data(**kwargs)
- context.update(
- {"title": self.title, "subtitle": None, **(self.extra_context or {})}
- )
- return context
-
-
- class PasswordResetView(PasswordContextMixin, FormView):
- email_template_name = "registration/password_reset_email.html"
- extra_email_context = None
- form_class = PasswordResetForm
- from_email = None
- html_email_template_name = None
- subject_template_name = "registration/password_reset_subject.txt"
- success_url = reverse_lazy("password_reset_done")
- template_name = "registration/password_reset_form.html"
- title = _("Password reset")
- token_generator = default_token_generator
-
- @method_decorator(csrf_protect)
- def dispatch(self, *args, **kwargs):
- return super().dispatch(*args, **kwargs)
-
- def form_valid(self, form):
- opts = {
- "use_https": self.request.is_secure(),
- "token_generator": self.token_generator,
- "from_email": self.from_email,
- "email_template_name": self.email_template_name,
- "subject_template_name": self.subject_template_name,
- "request": self.request,
- "html_email_template_name": self.html_email_template_name,
- "extra_email_context": self.extra_email_context,
- }
- form.save(**opts)
- return super().form_valid(form)
-
-
- INTERNAL_RESET_SESSION_TOKEN = "_password_reset_token"
-
-
- class PasswordResetDoneView(PasswordContextMixin, TemplateView):
- template_name = "registration/password_reset_done.html"
- title = _("Password reset sent")
-
-
- class PasswordResetConfirmView(PasswordContextMixin, FormView):
- form_class = SetPasswordForm
- post_reset_login = False
- post_reset_login_backend = None
- reset_url_token = "set-password"
- success_url = reverse_lazy("password_reset_complete")
- template_name = "registration/password_reset_confirm.html"
- title = _("Enter new password")
- token_generator = default_token_generator
-
- @method_decorator(sensitive_post_parameters())
- @method_decorator(never_cache)
- def dispatch(self, *args, **kwargs):
- if "uidb64" not in kwargs or "token" not in kwargs:
- raise ImproperlyConfigured(
- "The URL path must contain 'uidb64' and 'token' parameters."
- )
-
- self.validlink = False
- self.user = self.get_user(kwargs["uidb64"])
-
- if self.user is not None:
- token = kwargs["token"]
- if token == self.reset_url_token:
- session_token = self.request.session.get(INTERNAL_RESET_SESSION_TOKEN)
- if self.token_generator.check_token(self.user, session_token):
- # If the token is valid, display the password reset form.
- self.validlink = True
- return super().dispatch(*args, **kwargs)
- else:
- if self.token_generator.check_token(self.user, token):
- # Store the token in the session and redirect to the
- # password reset form at a URL without the token. That
- # avoids the possibility of leaking the token in the
- # HTTP Referer header.
- self.request.session[INTERNAL_RESET_SESSION_TOKEN] = token
- redirect_url = self.request.path.replace(
- token, self.reset_url_token
- )
- return HttpResponseRedirect(redirect_url)
-
- # Display the "Password reset unsuccessful" page.
- return self.render_to_response(self.get_context_data())
-
- def get_user(self, uidb64):
- try:
- # urlsafe_base64_decode() decodes to bytestring
- uid = urlsafe_base64_decode(uidb64).decode()
- user = UserModel._default_manager.get(pk=uid)
- except (
- TypeError,
- ValueError,
- OverflowError,
- UserModel.DoesNotExist,
- ValidationError,
- ):
- user = None
- return user
-
- def get_form_kwargs(self):
- kwargs = super().get_form_kwargs()
- kwargs["user"] = self.user
- return kwargs
-
- def form_valid(self, form):
- user = form.save()
- del self.request.session[INTERNAL_RESET_SESSION_TOKEN]
- if self.post_reset_login:
- auth_login(self.request, user, self.post_reset_login_backend)
- return super().form_valid(form)
-
- def get_context_data(self, **kwargs):
- context = super().get_context_data(**kwargs)
- if self.validlink:
- context["validlink"] = True
- else:
- context.update(
- {
- "form": None,
- "title": _("Password reset unsuccessful"),
- "validlink": False,
- }
- )
- return context
-
-
- class PasswordResetCompleteView(PasswordContextMixin, TemplateView):
- template_name = "registration/password_reset_complete.html"
- title = _("Password reset complete")
-
- def get_context_data(self, **kwargs):
- context = super().get_context_data(**kwargs)
- context["login_url"] = resolve_url(settings.LOGIN_URL)
- return context
-
-
- class PasswordChangeView(PasswordContextMixin, FormView):
- form_class = PasswordChangeForm
- success_url = reverse_lazy("password_change_done")
- template_name = "registration/password_change_form.html"
- title = _("Password change")
-
- @method_decorator(sensitive_post_parameters())
- @method_decorator(csrf_protect)
- @method_decorator(login_required)
- def dispatch(self, *args, **kwargs):
- return super().dispatch(*args, **kwargs)
-
- def get_form_kwargs(self):
- kwargs = super().get_form_kwargs()
- kwargs["user"] = self.request.user
- return kwargs
-
- def form_valid(self, form):
- form.save()
- # Updating the password logs out all other sessions for the user
- # except the current one.
- update_session_auth_hash(self.request, form.user)
- return super().form_valid(form)
-
-
- class PasswordChangeDoneView(PasswordContextMixin, TemplateView):
- template_name = "registration/password_change_done.html"
- title = _("Password change successful")
-
- @method_decorator(login_required)
- def dispatch(self, *args, **kwargs):
- return super().dispatch(*args, **kwargs)
|