add a message about the level of password complexity required (bug 662927)

2011-06-14 16:13:58 -07:00 · 2011-06-14 16:13:58 -07:00 · 38f80498ae
--- a/apps/users/forms.py
+++ b/apps/users/forms.py
@ -12,7 +12,6 @@ import commonware.log
 import happyforms
 from tower import ugettext as _, ugettext_lazy as _lazy

-from access.acl import action_allowed_user
 import amo
 from amo.utils import slug_validator
 from .models import (UserProfile, BlacklistedUsername, BlacklistedEmailDomain,
@ -40,9 +39,7 @@ class PasswordMixin:
            return data

        user = getattr(self, instance, None)
-        if (user and user.pk and
-            (action_allowed_user(user, 'Editors', '%')
-             or action_allowed_user(user, 'Admin', '%'))):
+        if user and user.pk and user.needs_tougher_password:
            if not admin_re.search(data):
                raise forms.ValidationError(_('Letters and numbers required.'))

--- a/apps/users/models.py
+++ b/apps/users/models.py
@ -166,6 +166,12 @@ class UserProfile(amo.models.ModelBase):
    def is_developer(self):
        return self.addonuser_set.exists()

+    @amo.cached_property
+    def needs_tougher_password(user):
+        from access.acl import action_allowed_user
+        return (action_allowed_user(user, 'Editors', '%')
+                or action_allowed_user(user, 'Admin', '%'))
+
    @property
    def name(self):
        return self.display_name or self.username
--- a/apps/users/templates/users/edit.html
+++ b/apps/users/templates/users/edit.html
@ -56,6 +56,7 @@
              <label for="id_password">{{ _('New Password') }}</label>
              {{ form.password }}
              {{ form.password.errors }}
+              {% with form_user=form.instance %}{% include "users/tougher_password.html" %}{% endwith %}
            </li>
            <li>
              <label for="id_password2">{{ _('Confirm New Password') }}</label>
--- a/apps/users/templates/users/pwreset_confirm.html
+++ b/apps/users/templates/users/pwreset_confirm.html
@ -18,6 +18,7 @@
              </label>
              {{ form.new_password1 }}
              {{ form.new_password1.errors }}
+              {% with form_user=form.user %}{% include "users/tougher_password.html" %}{% endwith %}
            </li>
            <li>
              <label for="id_new_password2">{{ _('Confirm password') }} {{ required() }}</label>
--- a/apps/users/templates/users/tougher_password.html
+++ b/apps/users/templates/users/tougher_password.html
@ -0,0 +1,3 @@
+{% if form_user.needs_tougher_password -%}
+<p>{{ _('For your account a password must contain at least 8 characters including letters and numbers.') }}</p>
+{%- endif %}
--- a/apps/users/tests/test_views.py
+++ b/apps/users/tests/test_views.py
@ -206,11 +206,19 @@ class TestLogin(UserViewBase):
 class TestReset(UserViewBase):
    fixtures = ['base/users']

-    def test_reset(self):
-        user = User.objects.get(email='editor@mozilla.com').get_profile()
-        token = [int_to_base36(user.id),
-                 default_token_generator.make_token(user)]
-        res = self.client.post(reverse('users.pwreset_confirm', args=token),
+    def setUp(self):
+        user = User.objects.get(email='editor@mozilla.com')
+        self.token = [int_to_base36(user.id),
+                      default_token_generator.make_token(user)]
+
+    def test_reset_msg(self):
+        res = self.client.get(reverse('users.pwreset_confirm',
+                                       args=self.token))
+        assert 'For your account' in res.content
+
+    def test_reset_fails(self):
+        res = self.client.post(reverse('users.pwreset_confirm',
+                                       args=self.token),
                               data={'new_password1': 'spassword',
                                     'new_password2': 'spassword'})
        eq_(res.context['form'].errors['new_password1'][0],
--- a/apps/users/urls.py
+++ b/apps/users/urls.py
@ -37,10 +37,8 @@ users_patterns = patterns('',
                        {'template_name': 'users/pwreset_sent.html'},
                        name="users.pwreset_sent"),
    url(r'^pwreset/(?P<uidb36>\w{1,13})/(?P<token>\w{1,13}-\w{1,20})$',
-                        auth_views.password_reset_confirm,
-                        {'template_name': 'users/pwreset_confirm.html',
-                         'set_password_form': forms.SetPasswordForm,
-                        }, name="users.pwreset_confirm"),
+                        views.password_reset_confirm,
+                        name="users.pwreset_confirm"),
    url(r'^pwresetcomplete$', auth_views.password_reset_complete,
                        {'template_name': 'users/pwreset_complete.html'},
                        name="users.pwreset_complete"),
--- a/apps/users/views.py
+++ b/apps/users/views.py
@ -4,6 +4,10 @@ from django.db import IntegrityError
 from django.shortcuts import get_object_or_404, redirect
 from django.contrib import auth
 from django.template import Context, loader
+from django.views.decorators.cache import never_cache
+from django.utils.http import base36_to_int
+from django.contrib.auth.models import User
+from django.contrib.auth.tokens import default_token_generator

 import commonware.log
 import jingo
@ -433,3 +437,35 @@ def report_abuse(request, user_id):
        return jingo.render(request, 'users/report_abuse_full.html',
                            {'profile': user, 'abuse_form': form, })
    return redirect(reverse('users.profile', args=[user.pk]))
+
+
+@never_cache
+def password_reset_confirm(request, uidb36=None, token=None):
+    """
+    Pulled from django contrib so that we can add user into the form
+    so then we can show relevant messages about the user.
+    """
+    assert uidb36 is not None and token is not None
+    user = None
+    try:
+        uid_int = base36_to_int(uidb36)
+        user = User.objects.get(id=uid_int)
+    except (ValueError, User.DoesNotExist):
+        pass
+
+    if user is not None and default_token_generator.check_token(user, token):
+        validlink = True
+        if request.method == 'POST':
+            form = forms.SetPasswordForm(user, request.POST)
+            if form.is_valid():
+                form.save()
+                return redirect(reverse('django.contrib.auth.'
+                                        'views.password_reset_complete'))
+        else:
+            form = forms.SetPasswordForm(user)
+    else:
+        validlink = False
+        form = None
+
+    return jingo.render(request, 'users/pwreset_confirm.html',
+                        {'form': form, 'validlink': validlink})