Fixing authentication issue on account deletion when using blank passwords.

2025-04-13 09:38:09 +00:00 · 2013-04-05 19:23:42 -07:00 · 2013-04-05 19:23:42 -07:00 · 1cf8d67db1
commit 1cf8d67db1
parent 8b13f22a59
2 changed files with 8 additions and 3 deletions
--- a/apps/profile/forms.py
+++ b/apps/profile/forms.py
@ -48,8 +48,12 @@ class DeleteAccountForm(forms.Form):
        super(DeleteAccountForm, self).__init__(*args, **kwargs)
    
    def clean_password(self):
+        from apps.profile.models import blank_authenticate
        user_auth = authenticate(username=self.user.username, 
                                 password=self.cleaned_data['password'])
+        if not user_auth:
+            user_auth = blank_authenticate(username=self.user.username)
+        
        if not user_auth:
            raise forms.ValidationError('Your password doesn\'t match.')

--- a/apps/profile/models.py
+++ b/apps/profile/models.py
@ -532,7 +532,7 @@ def change_password(user, old_password, new_password):
        user_db.set_password(new_password)
        user_db.save()
        return 1
-        
+
 def blank_authenticate(username, password=""):
    try:
        user = User.objects.get(username=username)
@ -543,8 +543,9 @@ def blank_authenticate(username, password=""):
        return user
        
    algorithm, salt, hash = user.password.split('$', 2)
-    encoded = hashlib.sha1(salt + password).hexdigest()
-    if encoded == hash:
+    encoded_blank = hashlib.sha1(salt + password).hexdigest()
+    encoded_username = authenticate(username=username, password=username)
+    if encoded_blank == hash or encoded_username == user:
        return user
            
 class MSentEmail(mongo.Document):