X-Git-Url: http://git.ithinksw.org/philo.git/blobdiff_plain/f757bbbcb48042b6cfaf44931c2313326afc0c09..cd3e03effc20790582d5ae6e8f2c1597c49ce31e:/contrib/waldo/tokens.py diff --git a/contrib/waldo/tokens.py b/contrib/waldo/tokens.py index fe32274..80f0b11 100644 --- a/contrib/waldo/tokens.py +++ b/contrib/waldo/tokens.py @@ -7,23 +7,17 @@ from datetime import date from django.conf import settings from django.utils.http import int_to_base36, base36_to_int from django.contrib.auth.tokens import PasswordResetTokenGenerator +from hashlib import sha1 REGISTRATION_TIMEOUT_DAYS = getattr(settings, 'WALDO_REGISTRATION_TIMEOUT_DAYS', 1) +EMAIL_TIMEOUT_DAYS = getattr(settings, 'WALDO_EMAIL_TIMEOUT_DAYS', 1) class RegistrationTokenGenerator(PasswordResetTokenGenerator): """ Strategy object used to generate and check tokens for the user registration mechanism. """ - def make_token(self, user): - """ - Returns a token that can be used once to activate a user's account. - """ - if user.is_active: - return False - return self._make_token_with_timestamp(user, self._num_days(self._today())) - def check_token(self, user, token): """ Check that a registration token is correct for a given user. @@ -59,8 +53,53 @@ class RegistrationTokenGenerator(PasswordResetTokenGenerator): # By hashing on the internal state of the user and using state that is # sure to change, we produce a hash that will be invalid as soon as it # is used. - from django.utils.hashcompat import sha_constructor - hash = sha_constructor(settings.SECRET_KEY + unicode(user.id) + unicode(user.is_active) + user.last_login.strftime('%Y-%m-%d %H:%M:%S') + unicode(timestamp)).hexdigest()[::2] + hash = sha1(settings.SECRET_KEY + unicode(user.id) + unicode(user.is_active) + user.last_login.strftime('%Y-%m-%d %H:%M:%S') + unicode(timestamp)).hexdigest()[::2] return '%s-%s' % (ts_b36, hash) -registration_token_generator = RegistrationTokenGenerator() \ No newline at end of file + +registration_token_generator = RegistrationTokenGenerator() + + +class EmailTokenGenerator(PasswordResetTokenGenerator): + """ + Strategy object used to generate and check tokens for a user email change mechanism. + """ + def make_token(self, user, email): + """ + Returns a token that can be used once to do an email change for the given user and email. + """ + return self._make_token_with_timestamp(user, email, self._num_days(self._today())) + + def check_token(self, user, email, token): + if email == user.email: + return False + + # Parse the token + try: + ts_b36, hash = token.split('-') + except ValueError: + return False + + try: + ts = base36_to_int(ts_b36) + except ValueError: + return False + + # Check that the timestamp and uid have not been tampered with. + if self._make_token_with_timestamp(user, email, ts) != token: + return False + + # Check that the timestamp is within limit + if (self._num_days(self._today()) - ts) > EMAIL_TIMEOUT_DAYS: + return False + + return True + + def _make_token_with_timestamp(self, user, email, timestamp): + ts_b36 = int_to_base36(timestamp) + + hash = sha1(settings.SECRET_KEY + unicode(user.id) + user.email + email + unicode(timestamp)).hexdigest()[::2] + return '%s-%s' % (ts_b36, hash) + + +email_token_generator = EmailTokenGenerator() \ No newline at end of file