password reset form, own clean method - django

I want to write my own method for the password reset form to make some tests about the new password (length, characters,...). So I added this class to my forms.py:
class PasswordResetForm(SetPasswordForm):
def clean(self):
if 'newpassword1' in self.cleaned_data and 'newpassword2' in self.cleaned_data:
if self.cleaned_data['newpassword1'] != self.cleaned_data['newpassword2']:
raise forms.ValidationError(("The two password fields didn't match."))
#here the passwords entered are the same
if len(self.cleaned_data['newpassword1']) < 8:
raise forms.ValidationError(("Your password has to be at least 8 characters long"))
if not re.search('\d+', self.cleaned_data['newpassword1']) or not re.search('([a-zA-Z])+', self.cleaned_data['new password1']):
raise forms.ValidationError(("Your password needs to contain at least one number and one character"))
return self.cleaned_data
and in the urls.py I added this:
url(r'^reset/(?P<uidb36>[0-9A-Za-z]+)-(?P<token>.+)/$', django.contrib.auth.views.password_reset_confirm, {'template_name':'registration/password_reset_confirm.html',
'set_password_form': PasswordResetForm})
But my own clean method isn't called. Whats wrong with this?

this answer may look stupid and i don't have the justification but i ran in the same problem and i solved it by replacing the
self.cleaned_data['newpassword1']
by
self.cleaned_data.get('newpassword1')
for all the clean_data set:
class PasswordResetForm(SetPasswordForm):
def clean(self):
cleaned_data = self.cleaned_data
if 'newpassword1' in cleaned_data and 'newpassword2' in cleaned_data:
if cleaned_data.get('newpassword1') != cleaned_data.get('newpassword2'):
raise forms.ValidationError(("The two password fields didn't match."))
if len(cleaned_data.get('newpassword1')) < 8:
raise forms.ValidationError(("Your password has to be at least 8 characters long"))
if not re.search('\d+', cleaned_data.get('newpassword1')) or not re.search('([a-zA-Z])+', cleaned_data.get('new password1')):
raise forms.ValidationError(("Your password needs to contain at least one number and one character"))
return cleaned_data

I found the error. It was a mistake in my urls.py. It needed to be:
url(r'^password/reset/(?P<uidb36>[0-9A-Za-z]+)-(?P<token>.+)/$',django.contrib.auth.views.password_reset_confirm,{'template_name':'registration/password_reset_confirm.html','set_password_form': PasswordResetForm})
I don't know why I still got an password reset form and not a 404. Maybe someone can tell me. I'm a bit worried that there might still be a possible way to use the standard reset form.

Related

Python Django prevent password reuse

I'm currently trying to prevent users from using their old passwords (configurable, like say last 5 passwords)
I have the following Infos:
User passwort in cleartext from the form during validation (form.cleaned_data['new_password1'])
Their current hashed Password (pwd_before_change)
Their last x passwords also hashed (pws)
Funnily enough my code works for the current password, but not for my old ones:
pwd_before_change = user_to_change.password
....
old_pws = Passwords.objects.filter(username=user_to_change).order_by('-password_changed')[:allowed_reuse].values_list('password', flat=True)
....
if old_pws:
for pws in old_pws:
if check_password(form.cleaned_data['new_password1'], pws) or \
check_password(form.cleaned_data['new_password1'], pwd_before_change)
messages.error(request,
f'You are not allowed a password which was already used in the last '
f'{allowed_reuse + 1} iterations')
return render(request, 'registration/password_change.html', {
'form': form
})
Any ideas what the issue may be? (additional info, I'm using Argon2).
Do I really need to encode the cleartext password again with all possible "salt" in the old passwords and check? (this would make the method depending on the hasher function which would not be ideal + I thought the check passwort function was exactly for scenarios like this?)
Ok, not sure what exactly was the issue, but I split up the "if" and now it works:
logger_user.info("User {} is attempting a password change".format(username))
if form.is_valid():
# Get the allowed Password counter from the settings, reduce by 1 as the current password is also checked!
allowed_reuse = settings.PASSWORD_REUSE - 1
logger_user.info(f"Allowed PWs: {allowed_reuse +1 }")
if check_password(form.cleaned_data['new_password1'], pwd_before_change):
messages.error(request, f'You are not allowed to re-use your current password')
return render(request, 'registration/password_change.html', {
'form': form
})
# Retrieve the last x passwords according to the Password Reuse Setting
old_pws = Passwords.objects.filter(username=user_to_change).order_by('-password_changed')[:allowed_reuse].values_list('password', flat=True)
# Compare the new Passwort with the old passwords
if old_pws:
for pw in old_pws:
if check_password(form.cleaned_data['new_password1'], pw):
messages.error(request,
f'You are not allowed a password which was already used in the last '
f'{allowed_reuse + 1} iterations')
return render(request, 'registration/password_change.html', {
'form': form
})

forms.ValidationError bug?

this is my third day in django and I'm working on my validation form and i came across this weird bug where my validation form didn't do anything so here's the code
class RegisterForm(forms.ModelForm):
email = forms.EmailField(label="E-Mail", error_messages={'required': 'Please enter your name'})
class Meta:
model = LowUser
fields =['fullname', 'email', 'password', 'bio']
widgets = {
'password' : forms.PasswordInput()
}
def clean_fullname(self):
data = self.cleaned_data.get("fullname")
if 'ab' in data:
raise forms.ValidationError('invalid')
else:
return data
if i input "ac" to the fullname it works perfectly fine it adds the input to the database. But if i input "ab" it didn't do anything it doesn't give me any errors nor add the input to my database. And I'm pretty sure my forms.ValidationError is bugging because if i change my raise forms.ValidationError('invalid') to raise NameError('Test') like this
def clean_fullname(self):
data = self.cleaned_data.get("fullname")
if 'ab' in data:
raise NameError('Test')
else:
return data
and i input "ab". It works completely fine and it gave me this page
and I'm using django 2.1.5 if you're wondering i would appreciate any help
thank you in advance
If i input "ac" to the fullname it works perfectly fine it adds the input to the database. But if i input "ab" it didn't do anything it doesn't give me any errors nor add the input to my database.
That is expected behavior, ValidationErrors are used to collect all errors.
The idea is that you raise ValidationErrors. These are all collected, and when one such error is present, form.is_valid() will return False, and the form.errors will contain a dictionary-like object with all the errors. The reason this is done is to collect problems with all fields in one single pass, such that it does not only report the first error of the form data.
Imagine that you have five fields with mistakes, and the form only reports problems with the first field. Then it takes five rounds before all fields are validated. By collecting all errors, it can show multiple ones. You can even return multiple errors on the same field.
For more information, see the raising ValidationError` section of the Django documentation.
Thanks to Willem i realized that the problem was in my views.py.
def registerForm(request):
regisform = RegisterForm()
cntxt = {'mainregisform': regisform, 'tst': ''}
if request.method == 'POST':
regisform = RegisterForm(request.POST)
if regisform.is_valid():
regisform.save()
return render(request, 'userregister.html', cntxt)
i thought that the ValidationError wasn't giving me any errors because usually there's an error message on top of my input box, but it actually did gave me an error. the problem was i define the mainregisform before the regisform got re-rendered therefore i never got error message

Django Form Validation don't keep password with ValidationError

I have written clean field based validation. To check I enter unmatching passwords this wipe off passwords from both the fields. This can annoy user. I want this like "If error let the user change a bit..don't retype whole password". However username validation keeps the username in the field
after error.Why this is happening?
class signupform(ModelForm):
prmqpass=forms.CharField(widget=forms.PasswordInput())
prmqpass1=forms.CharField(widget=forms.PasswordInput())
class Meta:
model=prmqsignup
exclude=['prmqactivated']
def clean_prmqpass(self):
cd=self.cleaned_data
pwd=cd.get("prmqpass")
if len(str(pwd))<6:
raise ValidationError("Password must be at least of six characters")
if not passstrength(pwd):
raise ValidationError("For stronger security password must contain at least one uppercase,lowercase,number and special character")
return pwd
def clean_prmquname(self):
cd=self.cleaned_data
usrname=cd.get("prmquname")
if len(usrname)<5:
raise ValidationError("Username too short choose more than four characters")
if prmqsignup.objects.exclude(pk=self.instance.pk).filter(prmquname=usrname).exists():
raise ValidationError('Username "%s" is already in use.' % usrname)
return usrname
def clean(self):
cd=self.cleaned_data
pwd=cd.get("prmqpass")
pwd1=cd.get("prmqpass1")
if not pwd==pwd1:
raise ValidationError("Passwords don't match.")
return cd
Why username value(staying in form) and password value(flashing away) after error.See validation logic is same.
From the documentation:
Password input: <input type='password' ...>
Takes one optional argument:
render_value: Determines whether the widget will have a value filled in when the form is re-displayed after a validation error (default is False).
So you need to initialise your inputs like so:
prmqpass = forms.CharField(widget=forms.PasswordInput(render_value=True))

Django validate field based on value from another field

I have this django field called is_private indicating whether the posting done by the user is private or not. If the posting is private then a certain field called private_room must be mentioned otherwise a field called public_room is required.
In the clean_private_room and clean_public_room fields I'm doing a check to see the value of is_private. If the room is private then in the clean_public_room method I simply return an empty string "" and the same for clean_private_room otherwise I continue with the validation.
The problem is that checking with self.cleaned_data.get('is_private') is returning different results in those two methods. I tried debugging the code and printed the self.cleaned_data value to the terminal and in one of the methods cleaned data contains one form field and in the other method contains my full posted values.
Here's a part of my code, please read the comments in it to see where I print and what gets printed. I don't know why it's behaving this way.
class RoomForm( forms.ModelForm ):
...
def clean_is_private( self ):
if not 'is_private' in self.cleaned_data:
raise forms.ValidationError("please select the type of room (private/public)")
return self.cleaned_data.get("is_private")
def clean_public_room( self ):
print "<clean_public_room>"
# !!!!!!!!!
# when printing this one I only get one form value which is: public_room
print self.cleaned_data
if self.cleaned_data.get("is_private"):
return ""
# otherwise....
if not self.cleaned_data.get("public_room"):
raise forms.ValidationError(
'you need to mention a public room'
)
return self.cleaned_data[ 'public_room' ]
def clean_private_room( self ):
print "<clean_private_room>"
# !!!!!!!!!
# when printing this one I get all form values: public_room, private_room, is_private
print self.cleaned_data
if not self.cleaned_data.get("is_private"):
return ""
# otherwise....
if not self.cleaned_data.get("private_room"):
raise forms.ValidationError(
'you need to mention a private room'
)
return self.cleaned_data[ 'private_room' ]
Form fields are cleaned in the order they defined in the form. So you just need to put is_private field before the public_room in the fields list.

Django: Overriding the clean() method in forms - question about raising errors

I've been doing things like this in the clean method:
if self.cleaned_data['type'].organized_by != self.cleaned_data['organized_by']:
raise forms.ValidationError('The type and organization do not match.')
if self.cleaned_data['start'] > self.cleaned_data['end']:
raise forms.ValidationError('The start date cannot be later than the end date.')
But then that means that the form can only raise one of these errors at a time. Is there a way for the form to raise both of these errors?
EDIT #1:
Any solutions for the above are great, but would love something that would also work in a scenario like:
if self.cleaned_data['type'].organized_by != self.cleaned_data['organized_by']:
raise forms.ValidationError('The type and organization do not match.')
if self.cleaned_data['start'] > self.cleaned_data['end']:
raise forms.ValidationError('The start date cannot be later than the end date.')
super(FooAddForm, self).clean()
Where FooAddForm is a ModelForm and has unique constraints that might also cause errors. If anyone knows of something like that, that would be great...
From the docs:
https://docs.djangoproject.com/en/1.7/ref/forms/validation/#cleaning-and-validating-fields-that-depend-on-each-other
from django.forms.util import ErrorList
def clean(self):
if self.cleaned_data['type'].organized_by != self.cleaned_data['organized_by']:
msg = 'The type and organization do not match.'
self._errors['type'] = ErrorList([msg])
del self.cleaned_data['type']
if self.cleaned_data['start'] > self.cleaned_data['end']:
msg = 'The start date cannot be later than the end date.'
self._errors['start'] = ErrorList([msg])
del self.cleaned_data['start']
return self.cleaned_data
errors = []
if self.cleaned_data['type'].organized_by != self.cleaned_data['organized_by']:
errors.append('The type and organization do not match.')
if self.cleaned_data['start'] > self.cleaned_data['end']:
errors.append('The start date cannot be later than the end date.')
if errors:
raise forms.ValidationError(errors)
Although its old post, if you want less code you can use add_error() method to add error messages. I am extending the #kemar's answer to show the used case:
add_error() automatically removes the field from cleaned_data dictionary, you dont have to delete it manually.
Also you dont have to import anything to use this.
documentation is here
def clean(self):
if self.cleaned_data['type'].organized_by != self.cleaned_data['organized_by']:
msg = 'The type and organization do not match.'
self.add_error('type', msg)
if self.cleaned_data['start'] > self.cleaned_data['end']:
msg = 'The start date cannot be later than the end date.'
self.add_error('start', msg)
return self.cleaned_data
If you'd prefer that the error messages be attached to the form rather than to specific fields, you can use the key "__all__" like this:
msg = 'The type and organization do not match.'
self._errors['__all__'] = ErrorList([msg])
Also, as the Django docs explain: "if you want to add a new error to a particular field, you should check whether the key already exists in self._errors or not. If not, create a new entry for the given key, holding an empty ErrorList instance. In either case, you can then append your error message to the list for the field name in question and it will be displayed when the form is displayed."