1 files changed, 56 insertions, 47 deletions

diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py
index 13ddcd3841..13647865d4 100644
--- a/django/contrib/auth/forms.py
+++ b/django/contrib/auth/forms.py
@@ -1,10 +1,11 @@
 from django.contrib.auth.models import User
 from django.contrib.auth import authenticate
+from django.contrib.auth.tokens import default_token_generator
 from django.contrib.sites.models import Site
 from django.template import Context, loader
-from django.core import validators
 from django import forms
 from django.utils.translation import ugettext_lazy as _
+from django.utils.http import int_to_base36
 
 class UserCreationForm(forms.ModelForm):
     """
@@ -13,13 +14,13 @@ class UserCreationForm(forms.ModelForm):
     username = forms.RegexField(label=_("Username"), max_length=30, regex=r'^\w+$',
         help_text = _("Required. 30 characters or fewer. Alphanumeric characters only (letters, digits and underscores)."),
         error_message = _("This value must contain only letters, numbers and underscores."))
-    password1 = forms.CharField(label=_("Password"), max_length=60, widget=forms.PasswordInput)
-    password2 = forms.CharField(label=_("Password confirmation"), max_length=60, widget=forms.PasswordInput)
-    
+    password1 = forms.CharField(label=_("Password"), widget=forms.PasswordInput)
+    password2 = forms.CharField(label=_("Password confirmation"), widget=forms.PasswordInput)
+
     class Meta:
         model = User
         fields = ("username",)
-    
+
     def clean_username(self):
         username = self.cleaned_data["username"]
         try:
@@ -27,14 +28,14 @@ class UserCreationForm(forms.ModelForm):
         except User.DoesNotExist:
             return username
         raise forms.ValidationError(_("A user with that username already exists."))
-    
+
     def clean_password2(self):
         password1 = self.cleaned_data["password1"]
         password2 = self.cleaned_data["password2"]
         if password1 != password2:
             raise forms.ValidationError(_("The two password fields didn't match."))
         return password2
-    
+
     def save(self, commit=True):
         user = super(UserCreationForm, self).save(commit=False)
         user.set_password(self.cleaned_data["password1"])
@@ -48,8 +49,8 @@ class AuthenticationForm(forms.Form):
     username/password logins.
     """
     username = forms.CharField(label=_("Username"), max_length=30)
-    password = forms.CharField(label=_("Password"), max_length=30, widget=forms.PasswordInput)
-    
+    password = forms.CharField(label=_("Password"), widget=forms.PasswordInput)
+
     def __init__(self, request=None, *args, **kwargs):
         """
         If request is passed in, the form will validate that cookies are
@@ -60,36 +61,36 @@ class AuthenticationForm(forms.Form):
         self.request = request
         self.user_cache = None
         super(AuthenticationForm, self).__init__(*args, **kwargs)
-    
+
     def clean(self):
         username = self.cleaned_data.get('username')
         password = self.cleaned_data.get('password')
-        
+
         if username and password:
             self.user_cache = authenticate(username=username, password=password)
             if self.user_cache is None:
                 raise forms.ValidationError(_("Please enter a correct username and password. Note that both fields are case-sensitive."))
             elif not self.user_cache.is_active:
                 raise forms.ValidationError(_("This account is inactive."))
-        
+
         # TODO: determine whether this should move to its own method.
         if self.request:
             if not self.request.session.test_cookie_worked():
                 raise forms.ValidationError(_("Your Web browser doesn't appear to have cookies enabled. Cookies are required for logging in."))
-        
+
         return self.cleaned_data
-    
+
     def get_user_id(self):
         if self.user_cache:
             return self.user_cache.id
         return None
-    
+
     def get_user(self):
         return self.user_cache
 
 class PasswordResetForm(forms.Form):
-    email = forms.EmailField(label=_("E-mail"), max_length=40)
-    
+    email = forms.EmailField(label=_("E-mail"), max_length=75)
+
     def clean_email(self):
         """
         Validates that a user exists with the given e-mail address.
@@ -98,16 +99,14 @@ class PasswordResetForm(forms.Form):
         self.users_cache = User.objects.filter(email__iexact=email)
         if len(self.users_cache) == 0:
             raise forms.ValidationError(_("That e-mail address doesn't have an associated user account. Are you sure you've registered?"))
-    
-    def save(self, domain_override=None, email_template_name='registration/password_reset_email.html'):
+
+    def save(self, domain_override=None, email_template_name='registration/password_reset_email.html',
+             use_https=False, token_generator=default_token_generator):
         """
-        Calculates a new password randomly and sends it to the user.
+        Generates a one-use only link for resetting password and sends to the user
         """
         from django.core.mail import send_mail
         for user in self.users_cache:
-            new_pass = User.objects.make_random_password()
-            user.set_password(new_pass)
-            user.save()
             if not domain_override:
                 current_site = Site.objects.get_current()
                 site_name = current_site.name
@@ -116,36 +115,29 @@ class PasswordResetForm(forms.Form):
                 site_name = domain = domain_override
             t = loader.get_template(email_template_name)
             c = {
-                'new_password': new_pass,
                 'email': user.email,
                 'domain': domain,
                 'site_name': site_name,
+                'uid': int_to_base36(user.id),
                 'user': user,
+                'token': token_generator.make_token(user),
+                'protocol': use_https and 'https' or 'http',
             }
             send_mail(_("Password reset on %s") % site_name,
                 t.render(Context(c)), None, [user.email])
 
-class PasswordChangeForm(forms.Form):
+class SetPasswordForm(forms.Form):
     """
-    A form that lets a user change his/her password.
+    A form that lets a user change set his/her password without
+    entering the old password
     """
-    old_password = forms.CharField(label=_("Old password"), max_length=30, widget=forms.PasswordInput)
-    new_password1 = forms.CharField(label=_("New password"), max_length=30, widget=forms.PasswordInput)
-    new_password2 = forms.CharField(label=_("New password confirmation"), max_length=30, widget=forms.PasswordInput)
-    
+    new_password1 = forms.CharField(label=_("New password"), widget=forms.PasswordInput)
+    new_password2 = forms.CharField(label=_("New password confirmation"), widget=forms.PasswordInput)
+
     def __init__(self, user, *args, **kwargs):
         self.user = user
-        super(PasswordChangeForm, self).__init__(*args, **kwargs)
-    
-    def clean_old_password(self):
-        """
-        Validates that the old_password field is correct.
-        """
-        old_password = self.cleaned_data["old_password"]
-        if not self.user.check_password(old_password):
-            raise forms.ValidationError(_("Your old password was entered incorrectly. Please enter it again."))
-        return old_password
-    
+        super(SetPasswordForm, self).__init__(*args, **kwargs)
+
     def clean_new_password2(self):
         password1 = self.cleaned_data.get('new_password1')
         password2 = self.cleaned_data.get('new_password2')
@@ -153,24 +145,41 @@ class PasswordChangeForm(forms.Form):
             if password1 != password2:
                 raise forms.ValidationError(_("The two password fields didn't match."))
         return password2
-    
+
     def save(self, commit=True):
         self.user.set_password(self.cleaned_data['new_password1'])
         if commit:
             self.user.save()
         return self.user
 
+class PasswordChangeForm(SetPasswordForm):
+    """
+    A form that lets a user change his/her password by entering
+    their old password.
+    """
+    old_password = forms.CharField(label=_("Old password"), widget=forms.PasswordInput)
+
+    def clean_old_password(self):
+        """
+        Validates that the old_password field is correct.
+        """
+        old_password = self.cleaned_data["old_password"]
+        if not self.user.check_password(old_password):
+            raise forms.ValidationError(_("Your old password was entered incorrectly. Please enter it again."))
+        return old_password
+PasswordChangeForm.base_fields.keyOrder = ['old_password', 'new_password1', 'new_password2']
+
 class AdminPasswordChangeForm(forms.Form):
     """
     A form used to change the password of a user in the admin interface.
     """
-    password1 = forms.CharField(label=_("Password"), max_length=60, widget=forms.PasswordInput)
-    password2 = forms.CharField(label=_("Password (again)"), max_length=60, widget=forms.PasswordInput)
-    
+    password1 = forms.CharField(label=_("Password"), widget=forms.PasswordInput)
+    password2 = forms.CharField(label=_("Password (again)"), widget=forms.PasswordInput)
+
     def __init__(self, user, *args, **kwargs):
         self.user = user
         super(AdminPasswordChangeForm, self).__init__(*args, **kwargs)
-    
+
     def clean_password2(self):
         password1 = self.cleaned_data.get('password1')
         password2 = self.cleaned_data.get('password2')
@@ -178,7 +187,7 @@ class AdminPasswordChangeForm(forms.Form):
             if password1 != password2:
                 raise forms.ValidationError(_("The two password fields didn't match."))
         return password2
-    
+
     def save(self, commit=True):
         """
         Saves the new password.