comparison MoinMoin/user.py @ 3564:474f6ad01900

recoverpass: email password reset token rather than sha1 login: no longer accept sha-1 encoded password directly
author Johannes Berg <johannes AT sipsolutions DOT net>
date Thu, 24 Apr 2008 16:05:04 +0200
parents 928a45b60bb3
children ddf31f2ae8e3
comparison
equal deleted inserted replaced
3563:8140f31ada6d 3564:474f6ad01900
18 2003-2007 MoinMoin:ThomasWaldmann 18 2003-2007 MoinMoin:ThomasWaldmann
19 @license: GNU GPL, see COPYING for details. 19 @license: GNU GPL, see COPYING for details.
20 """ 20 """
21 21
22 # add names here to hide them in the cgitb traceback 22 # add names here to hide them in the cgitb traceback
23 unsafe_names = ("id", "key", "val", "user_data", "enc_password") 23 unsafe_names = ("id", "key", "val", "user_data", "enc_password", "recoverpass_token")
24 24
25 import os, time, sha, codecs 25 import os, time, sha, codecs
26 26
27 from MoinMoin import config, caching, wikiutil, i18n, events 27 from MoinMoin import config, caching, wikiutil, i18n, events
28 from MoinMoin.util import timefuncs, filesys 28 from MoinMoin.util import timefuncs, filesys, random_string
29 from MoinMoin.wikiutil import url_quote_plus
29 30
30 31
31 def getUserList(request): 32 def getUserList(request):
32 """ Get a list of all (numerical) user IDs. 33 """ Get a list of all (numerical) user IDs.
33 34
310 311
311 # create checkbox fields (with default 0) 312 # create checkbox fields (with default 0)
312 for key, label in self._cfg.user_checkbox_fields: 313 for key, label in self._cfg.user_checkbox_fields:
313 setattr(self, key, self._cfg.user_checkbox_defaults.get(key, 0)) 314 setattr(self, key, self._cfg.user_checkbox_defaults.get(key, 0))
314 315
316 self.recoverpass_token = ""
317
315 self.enc_password = "" 318 self.enc_password = ""
316 if password: 319 if password:
317 if password.startswith('{SHA}'): 320 try:
318 self.enc_password = password 321 self.enc_password = encodePassword(password)
319 else: 322 except UnicodeError:
320 try: 323 pass # Should never happen
321 self.enc_password = encodePassword(password)
322 except UnicodeError:
323 pass # Should never happen
324 324
325 #self.edit_cols = 80 325 #self.edit_cols = 80
326 self.tz_offset = int(float(self._cfg.tz_offset) * 3600) 326 self.tz_offset = int(float(self._cfg.tz_offset) * 3600)
327 self.language = "" 327 self.language = ""
328 self.real_language = "" # In case user uses "Browser setting". For language-statistics 328 self.real_language = "" # In case user uses "Browser setting". For language-statistics
1023 """ 1023 """
1024 from MoinMoin.mail import sendmail 1024 from MoinMoin.mail import sendmail
1025 from MoinMoin.wikiutil import getLocalizedPage 1025 from MoinMoin.wikiutil import getLocalizedPage
1026 _ = self._request.getText 1026 _ = self._request.getText
1027 1027
1028 if not self.enc_password: # generate pw if there is none yet 1028 if not self.recoverpass_token:
1029 from random import randint 1029 self.recoverpass_token = random_string(32, "abcdefghijklmnopqrstuvwxyz0123456789")
1030 import base64
1031
1032 charset = 'utf-8'
1033 pwd = "%s%d" % (str(time.time()), randint(0, 65535))
1034 pwd = pwd.encode(charset)
1035
1036 pwd = sha.new(pwd).digest()
1037 pwd = '{SHA}%s' % base64.encodestring(pwd).rstrip()
1038
1039 self.enc_password = pwd
1040 self.save() 1030 self.save()
1041 1031
1042 text = '\n' + _("""\ 1032 text = '\n' + _("""\
1043 Login Name: %s 1033 Login Name: %s
1044 1034
1045 Login Password: %s 1035 Password recovery token: %s
1046 1036
1047 Login URL: %s/?action=login 1037 Password reset URL: %s/?action=recoverpass&name=%s&token=%s
1048 """) % ( 1038 """) % (
1049 self.name, self.enc_password, self._request.getBaseURL(), ) 1039 self.name,
1040 self.recoverpass_token,
1041 self._request.getBaseURL(),
1042 url_quote_plus(self.name),
1043 self.recoverpass_token, )
1050 1044
1051 text = _("""\ 1045 text = _("""\
1052 Somebody has requested to submit your account data to this email address. 1046 Somebody has requested to email you a password recovery token.
1053 1047
1054 If you lost your password, please use the data below and just enter the 1048 If you lost your password, please go to the password reset URL below or
1055 password AS SHOWN into the wiki's password form field (use copy and paste 1049 go to the password recovery page again and enter your username and the
1056 for that). 1050 recovery token.
1057
1058 After successfully logging in, it is of course a good idea to set a new and known password.
1059 """) + text 1051 """) + text
1060 1052
1061 1053
1062 subject = _('[%(sitename)s] Your wiki account data', 1054 subject = _('[%(sitename)s] Your wiki account data',
1063 ) % {'sitename': self._cfg.sitename or "Wiki"} 1055 ) % {'sitename': self._cfg.sitename or "Wiki"}