Richard Jones avatar Richard Jones committed 891f354

fixes

Comments (0)

Files changed (2)

templates/password_reset.pt

       username!</strong></p>
 
     <form tal:attributes="action app/url_path" method="POST">
-      <input type="hidden" name=":action" value="pw_reset" />
+      <input type="hidden" name=":action" value="forgotten_password" />
       <table class="form">
     <tr>
       <th>Username:</th>
         # we include a snip of the current password hash so that the OTK can't
         # be used again once the password is changed. And hash it to be extra
         # obscure
-        return reset_signer.dumps((name, user['password'][-4:]))
+        return reset_signer.dumps((user['name'], user['password'][-4:]))
 
     def _decode_reset_otk(self, otk):
         reset_signer = itsdangerous.URLSafeTimedSerializer(
             self.config.reset_secret, 'password-recovery')
         try:
             # we allow 6 hours
-            name, x = reset_signer.loads(otk, max_age=6*60*60)
+            name, pwfrag = reset_signer.loads(otk, max_age=6*60*60)
         except itsdangerous.BadData:
             return None
-        return self.store.get_user(name)
+        user = self.store.get_user(name)
+        if pwfrag == user['password'][-4:]:
+            return user
+        return None
 
     def pw_reset(self):
         '''The user has clicked the reset link in the email we sent them.
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.