diff --git a/flask_user/__init__.py b/flask_user/__init__.py index c0680631..038da249 100644 --- a/flask_user/__init__.py +++ b/flask_user/__init__.py @@ -236,7 +236,7 @@ def hash_password(self, password): return passwords.hash_password(self, password) def get_password(self, user): - use_auth_class = True if self.db_adapter.UserAuthClass and hasattr(user, 'user_auth') else False + use_auth_class = self.db_adapter.UserAuthClass and hasattr(user, 'user_auth') # Handle v0.5 backward compatibility if self.db_adapter.UserProfileClass: hashed_password = user.password @@ -245,7 +245,7 @@ def get_password(self, user): return hashed_password def update_password(self, user, hashed_password): - use_auth_class = True if self.db_adapter.UserAuthClass and hasattr(user, 'user_auth') else False + use_auth_class = self.db_adapter.UserAuthClass and hasattr(user, 'user_auth') if use_auth_class: user.user_auth.password = hashed_password @@ -261,6 +261,9 @@ def verify_password(self, password, user): verified = False hashed_password = self.get_password(user) + if not hashed_password: + return False + try: verified = passwords.verify_password(self, password, hashed_password) except ValueError: diff --git a/flask_user/forms.py b/flask_user/forms.py index 842a49b4..3af14683 100644 --- a/flask_user/forms.py +++ b/flask_user/forms.py @@ -82,6 +82,17 @@ class ChangePasswordForm(Form): next = HiddenField() submit = SubmitField(_('Change password')) + def __init__(self, formdata=None, obj=None, prefix='', data=None, meta=None, user=None, **kw): + self.user = user + return super(ChangePasswordForm, self).__init__( + formdata=formdata, + obj=obj, + prefix=prefix, + data=data, + meta=meta, + **kw + ) + def validate(self): # Use feature config to remove unused form fields user_manager = current_app.user_manager @@ -210,7 +221,7 @@ def validate(self): user, user_email = user_manager.find_user_by_email(self.email.data) # Handle successful authentication - if user and user.password and user_manager.verify_password(self.password.data, user): + if user and user_manager.verify_password(self.password.data, user): return True # Successful authentication # Handle unsuccessful authentication @@ -308,6 +319,17 @@ class ResetPasswordForm(Form): next = HiddenField() submit = SubmitField(_('Change password')) + def __init__(self, formdata=None, obj=None, prefix='', data=None, meta=None, user=None, **kw): + self.user = user + return super(ResetPasswordForm, self).__init__( + formdata=formdata, + obj=obj, + prefix=prefix, + data=data, + meta=meta, + **kw + ) + def validate(self): # Use feature config to remove unused form fields user_manager = current_app.user_manager diff --git a/flask_user/views.py b/flask_user/views.py index 28f4e650..d13d6196 100644 --- a/flask_user/views.py +++ b/flask_user/views.py @@ -80,7 +80,8 @@ def change_password(): db_adapter = user_manager.db_adapter # Initialize form - form = user_manager.change_password_form(request.form) + form = user_manager.change_password_form(request.form, user=current_user) + form.next.data = request.args.get('next', _endpoint_url(user_manager.after_change_password_endpoint)) # Place ?next query param in next form field # Process valid POST @@ -580,7 +581,7 @@ def reset_password(token): user_email.confirmed_at = datetime.utcnow() # Initialize form - form = user_manager.reset_password_form(request.form) + form = user_manager.reset_password_form(request.form, user=user) # Process valid POST if request.method=='POST' and form.validate(): @@ -590,9 +591,7 @@ def reset_password(token): # Change password hashed_password = user_manager.hash_password(form.new_password.data) - user_auth = user.user_auth if db_adapter.UserAuthClass and hasattr(user, 'user_auth') else user - db_adapter.update_object(user_auth, password=hashed_password) - db_adapter.commit() + user_manager.update_password(user, hashed_password) # Send 'password_changed' email if user_manager.enable_email and user_manager.send_password_changed_email: @@ -733,5 +732,3 @@ def _endpoint_url(endpoint): if endpoint: url = url_for(endpoint) return url - -