Use password validation in change password flow

This also moves the form validation into a form instead of doing it in the view.
2022-07-15 10:45:08 -07:00 · 2022-07-15 10:45:08 -07:00 · 659ee96002
commit 659ee96002
parent 4a65ee326a
4 changed files with 70 additions and 45 deletions
--- a/bookwyrm/views/preferences/change_password.py
+++ b/bookwyrm/views/preferences/change_password.py
@ -3,11 +3,10 @@ from django.contrib.auth import login
 from django.contrib.auth.decorators import login_required
 from django.template.response import TemplateResponse
 from django.utils.decorators import method_decorator
-from django.utils.translation import gettext_lazy as _
 from django.views import View
 from django.views.decorators.debug import sensitive_variables, sensitive_post_parameters

-from bookwyrm import models
+from bookwyrm import forms


 # pylint: disable= no-self-use
@ -17,33 +16,24 @@ class ChangePassword(View):

    def get(self, request):
        """change password page"""
-        data = {"user": request.user}
+        data = {"form": forms.ChangePasswordForm()}
        return TemplateResponse(request, "preferences/change_password.html", data)

    @sensitive_variables("new_password")
-    @sensitive_variables("confirm_password")
    @method_decorator(sensitive_post_parameters("current_password"))
    @method_decorator(sensitive_post_parameters("password"))
    @method_decorator(sensitive_post_parameters("confirm__password"))
    def post(self, request):
        """allow a user to change their password"""
-        data = {"user": request.user}
-
-        # check current password
-        user = models.User.objects.get(id=request.user.id)
-        if not user.check_password(request.POST.get("current_password")):
-            data["errors"] = {"current_password": [_("Incorrect password")]}
-            return TemplateResponse(request, "preferences/change_password.html", data)
-
-        new_password = request.POST.get("password")
-        confirm_password = request.POST.get("confirm-password")
-
-        if new_password != confirm_password:
-            data["errors"] = {"confirm_password": [_("Password does not match")]}
+        form = forms.ChangePasswordForm(request.POST, instance=request.user)
+        if not form.is_valid():
+            data = {"form": form}
            return TemplateResponse(request, "preferences/change_password.html", data)

+        new_password = form.cleaned_data["password"]
        request.user.set_password(new_password)
        request.user.save(broadcast=False, update_fields=["password"])
+
        login(request, request.user)
-        data["success"] = True
+        data = {"success": True, "form": forms.ChangePasswordForm()}
        return TemplateResponse(request, "preferences/change_password.html", data)