Search code examples
pythondjangodjango-registrationdjango-1.6

Why is django 1.6 setting "form" to "none" on the contrib.auth.views.password_reset_confirm view?

I'm using django 1.6 and django-registration 1.0.

I had to patch the urls on django-registration since they haven't released their update as of Feb 19, 2014.

All of the password reset url/views have worked except for password_reset_confirm.

On my main urls.py file I have this:

url(r'^accounts/', include('registration.backends.simple.urls')),

On Registration/Backends/Simple/urls.py I have this:

from django.conf.urls import include
from django.conf.urls import patterns
from django.conf.urls import url
from django.views.generic.base import TemplateView

from registration.backends.simple.views import RegistrationView


urlpatterns = patterns('',
                       url(r'^register/$',
                           RegistrationView.as_view(),
                           name='registration_register'),
                       url(r'^register/closed/$',
                           TemplateView.as_view(template_name='registration/registration_closed.html'),
                           name='registration_disallowed'),
                       (r'', include('registration.auth_urls')),
                       )

from django.contrib.auth import views as auth_views

# THIS IS A PATCH added by me !!!
urlpatterns = patterns('',

      # override the default urls
      url(r'^password/change/$',
                    auth_views.password_change,
                    name='password_change'),
      url(r'^password/change/done/$',
                    auth_views.password_change_done,
                    name='password_change_done'),
      url(r'^password/reset/$',
                    auth_views.password_reset,
                    name='password_reset'),
      url(r'^password/reset/done/$',
                    auth_views.password_reset_done,
                    name='password_reset_done'),
      url(r'^password/reset/complete/$',
                    auth_views.password_reset_complete,
                    name='password_reset_complete'),
      url(r'^password/reset/confirm/(?P<uidb64>[0-9A-Za-z]+)-(?P<token>.+)/$',
                    auth_views.password_reset_confirm,
                    name='password_reset_confirm'),

      # and now add the registration urls
      url(r'', include('registration.backends.default.urls')),
)

Django1.6 django/contrib/auth/views.py has the function for password_reset_confirm:

# Doesn't need csrf_protect since no-one can guess the URL
@sensitive_post_parameters()
@never_cache
def password_reset_confirm(request, uidb64=None, token=None,
                           template_name='registration/password_reset_confirm.html',
                           token_generator=default_token_generator,
                           set_password_form=SetPasswordForm,
                           post_reset_redirect=None,
                           current_app=None, extra_context=None):
    """
    View that checks the hash in a password reset link and presents a
    form for entering a new password.
    """
    UserModel = get_user_model()
    assert uidb64 is not None and token is not None  # checked by URLconf
    if post_reset_redirect is None:
        post_reset_redirect = reverse('password_reset_complete')
    else:
        post_reset_redirect = resolve_url(post_reset_redirect)
    try:
        uid = urlsafe_base64_decode(uidb64)
        user = UserModel._default_manager.get(pk=uid)
    except (TypeError, ValueError, OverflowError, UserModel.DoesNotExist):
        user = None

    if user is not None and token_generator.check_token(user, token):
        validlink = True
        if request.method == 'POST':
            form = set_password_form(user, request.POST)
            if form.is_valid():
                form.save()
                return HttpResponseRedirect(post_reset_redirect)
        else:
            form = set_password_form(None)
    else:
        validlink = False
        form = None
    context = {
        'form': form,
        'validlink': validlink,
    }
    if extra_context is not None:
        context.update(extra_context)
    return TemplateResponse(request, template_name, context,
                            current_app=current_app)

So either token_generator.check_token(user, token) is returning False or user == None.

The biggest pain is that this only happens (what seems to me) randomly. So debugging is a pain. Sometimes it works ( {{ form }} renders the inputs ) and often it fails ( {{ form }} renders "None" in place of input markup )

Any help would be much appreciated.

Solution

  • For some reason token_generator.check_token(user, token) is determining that the timestamp/uid has been tampered with. This means a new token and such needs to be generated.

    From the template I'm going to detect that {{ form }} is "None". If that is the case, I'll put a link in place that restarts the whole process.

    {% if form != None %}
    <div class="modal-body">
        <p>Type in a new password. Try not to forget this one!</p>
        {{ form }}
    </div>
    <div class="modal-footer">
        <button type="submit" class="btn btn-primary"><span>Continue</span></button>
    </div>
{% else %}
    <div class="modal-body">
        <p>This link has expired. You'll need to click "Reset Password" again.</p>
        <p><a class="btn btn-primary" href="{% url 'auth_password_reset' %}">Reset Password</a></p>
    </div>
{% endif %}

    This is important because django-bootstrap-form will choke and throw a 500 error if you don't have this in place.