Hi,
I am currently using the code below as a workaround.
Please be super-careful with this. I did not test this extensively. Do
not use it if your password reset page requests external resources. Make
sure you understand the security implications before you deploy it.
apollo13 suggested this on IRC as a temporary fix, but any bugs in the
implementation are mine. Obviously, no warranty ;)
```
from django.contrib.auth import views as auth_views
from django.contrib.auth.views import INTERNAL_RESET_SESSION_TOKEN
from django.utils.decorators import method_decorator
from django.views.decorators.cache import never_cache
from django.views.decorators.debug import sensitive_post_parameters
class PasswordResetConfirmView(auth_views.PasswordResetConfirmView):
# https://code.djangoproject.com/ticket/29975
@method_decorator(sensitive_post_parameters())
@method_decorator(never_cache)
def dispatch(self, *args, **kwargs):
assert 'uidb64' in kwargs and 'token' in kwargs
self.validlink = False
self.user = self.get_user(kwargs['uidb64'])
if self.user is not None:
token = kwargs['token']
if self.token_generator.check_token(self.user, token):
self.validlink = True
form = self.get_form()
if form.is_valid():
self.request.session[
INTERNAL_RESET_SESSION_TOKEN
] = 'dummy'
return self.form_valid(form)
return self.form_invalid(form)
return self.render_to_response(self.get_context_data())
```
--
René Fleschenberg
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/6898cb45-0128-9648-9b70-3294ff6c58a4%40fleschenberg.net.
For more options, visit https://groups.google.com/d/optout.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment