From: Magnus Hagander Date: Mon, 5 Nov 2012 18:19:13 +0000 (+0100) Subject: Make all steps of password reset run over SSL X-Git-Url: http://git.postgresql.org/gitweb/?a=commitdiff_plain;h=b40dd5f460c8dab77492a466d6fdb3cef2a16cc0;p=pgweb.git Make all steps of password reset run over SSL This requires the creation of views with @require_ssl set that calls into the core django views. Otherwise, when deployed in production, the middleware will catch these requests and direct them out of SSL. This has always been a problem, but it broke probably when we turned on CSRF protection, since the cookie required is no longer passed through. --- diff --git a/pgweb/account/urls.py b/pgweb/account/urls.py index ad4f1092..0dc7c8f0 100644 --- a/pgweb/account/urls.py +++ b/pgweb/account/urls.py @@ -34,15 +34,11 @@ urlpatterns = patterns('', (r'^login/$', 'account.views.login'), (r'^logout/$', 'account.views.logout'), (r'^changepwd/$', 'account.views.changepwd'), - (r'^changepwd/done/$', 'django.contrib.auth.views.password_change_done', { - 'template_name': 'account/password_change_done.html', }), + (r'^changepwd/done/$', 'account.views.change_done'), (r'^reset/$', 'account.views.resetpwd'), - (r'^reset/done/$', 'django.contrib.auth.views.password_reset_done', { - 'template_name': 'account/password_reset_done.html', }), - (r'^reset/(?P[0-9A-Za-z]+)-(?P.+)/$', 'django.contrib.auth.views.password_reset_confirm', { - 'template_name': 'account/password_reset_confirm.html', }), - (r'^reset/complete/$', 'django.contrib.auth.views.password_reset_complete', { - 'template_name': 'account/password_reset_complete.html', }), + (r'^reset/done/$', 'account.views.reset_done'), + (r'^reset/(?P[0-9A-Za-z]+)-(?P.+)/$', 'account.views.reset_confirm'), + (r'^reset/complete/$', 'account.views.reset_complete'), (r'^signup/$', 'account.views.signup'), (r'^signup/complete/$', 'account.views.signup_complete'), ) diff --git a/pgweb/account/views.py b/pgweb/account/views.py index 19c6b555..0fa0f3d5 100644 --- a/pgweb/account/views.py +++ b/pgweb/account/views.py @@ -135,6 +135,22 @@ def resetpwd(request): return authviews.password_reset(request, template_name='account/password_reset.html', email_template_name='account/password_reset_email.txt') +@ssl_required +def change_done(request): + return authviews.password_change_done(request, template_name='account/password_change_done.html') + +@ssl_required +def reset_done(request): + return authviews.password_reset_done(request, template_name='account/password_reset_done.html') + +@ssl_required +def reset_confirm(request): + return authviews.password_reset_confirm(request, template_name='account/password_reset_confirm.html') + +@ssl_required +def reset_complete(request): + return authviews.password_reset_complete(request, template_name='account/password_reset_complete.html') + @ssl_required def signup(request): if request.user.is_authenticated():