Make all steps of password reset run over SSL

This requires the creation of views with @require_ssl set that calls
into the core django views. Otherwise, when deployed in production,
the middleware will catch these requests and direct them out of SSL.

This has always been a problem, but it broke probably when we turned on
CSRF protection, since the cookie required is no longer passed through.

diff --git a/pgweb/account/urls.py b/pgweb/account/urls.py
index ad4f10920535582afdcdd5806b7cd625d03e64bd..0dc7c8f01cc07185d24ad31394159440f252aa93 100644 (file)
--- a/pgweb/account/urls.py
+++ b/pgweb/account/urls.py
@@ -34,15 +34,11 @@ urlpatterns = patterns('',
     (r'^login/$', 'account.views.login'),
     (r'^logout/$', 'account.views.logout'),
        (r'^changepwd/$', 'account.views.changepwd'),
-       (r'^changepwd/done/$', 'django.contrib.auth.views.password_change_done', {
-                       'template_name': 'account/password_change_done.html', }),
+       (r'^changepwd/done/$', 'account.views.change_done'),
        (r'^reset/$', 'account.views.resetpwd'),
-       (r'^reset/done/$', 'django.contrib.auth.views.password_reset_done', {
-                       'template_name': 'account/password_reset_done.html', }),
-       (r'^reset/(?P<uidb36>[0-9A-Za-z]+)-(?P<token>.+)/$', 'django.contrib.auth.views.password_reset_confirm', {
-                       'template_name': 'account/password_reset_confirm.html', }),
-       (r'^reset/complete/$', 'django.contrib.auth.views.password_reset_complete', {
-                       'template_name': 'account/password_reset_complete.html', }),
+       (r'^reset/done/$', 'account.views.reset_done'),
+       (r'^reset/(?P<uidb36>[0-9A-Za-z]+)-(?P<token>.+)/$', 'account.views.reset_confirm'),
+       (r'^reset/complete/$', 'account.views.reset_complete'),
        (r'^signup/$', 'account.views.signup'),
        (r'^signup/complete/$', 'account.views.signup_complete'),
 )

diff --git a/pgweb/account/views.py b/pgweb/account/views.py
index 19c6b55592d81bf01f9c80f2091a0028ff559fa9..0fa0f3d5b2dae63f6d87572d0f186d7faf452ab1 100644 (file)
--- a/pgweb/account/views.py
+++ b/pgweb/account/views.py
@@ -135,6 +135,22 @@ def resetpwd(request):
        return authviews.password_reset(request, template_name='account/password_reset.html',
                                                                        email_template_name='account/password_reset_email.txt')
 
+@ssl_required
+def change_done(request):
+       return authviews.password_change_done(request, template_name='account/password_change_done.html')
+
+@ssl_required
+def reset_done(request):
+       return authviews.password_reset_done(request, template_name='account/password_reset_done.html')
+
+@ssl_required
+def reset_confirm(request):
+       return authviews.password_reset_confirm(request, template_name='account/password_reset_confirm.html')
+
+@ssl_required
+def reset_complete(request):
+       return authviews.password_reset_complete(request, template_name='account/password_reset_complete.html')
+
 @ssl_required
 def signup(request):
        if request.user.is_authenticated():