Merge pull request #463 from eventcally/issues/462

Confirmation instruction on reset/forgot #462
2026-03-13 00:07:22 +00:00 · 2023-05-04 14:13:55 +02:00 · 2023-05-04 14:13:55 +02:00 · b80d7696f9
commit b80d7696f9
parent 9a84799516 9d079d96a8
3 changed files with 45 additions and 1 deletions
--- a/project/init.py
+++ b/project/init.py
@ -209,7 +209,11 @@ from project.jsonld import CustomJsonProvider

 app.json_provider_class = CustomJsonProvider

-from project.forms.security import ExtendedConfirmRegisterForm, ExtendedLoginForm
+from project.forms.security import (
+    ExtendedConfirmRegisterForm,
+    ExtendedForgotPasswordForm,
+    ExtendedLoginForm,
+)

 # Setup Flask-Security
 from project.models import Role, User
@ -220,6 +224,7 @@ security = Security(
    user_datastore,
    confirm_register_form=ExtendedConfirmRegisterForm,
    login_form=ExtendedLoginForm,
+    forgot_password_form=ExtendedForgotPasswordForm,
 )
 app.session_interface = CustomSessionInterface()

--- a/project/forms/security.py
+++ b/project/forms/security.py
@ -3,6 +3,7 @@ from flask_security import url_for_security
 from flask_security.forms import (
    ConfirmRegisterForm,
    EqualTo,
+    ForgotPasswordForm,
    LoginForm,
    get_form_field_label,
 )
@ -53,6 +54,21 @@ class ExtendedLoginForm(LoginForm):
        return result


+class ExtendedForgotPasswordForm(ForgotPasswordForm):
+    def validate(self, **kwargs):
+        result = super().validate(**kwargs)
+
+        if not result and self.requires_confirmation:
+            flash_message(
+                gettext("login_confirmation_required"),
+                url_for_security("send_confirmation"),
+                localize_callback("Resend confirmation instructions"),
+                "danger",
+            )
+
+        return result
+
+
 class AuthorizeForm(FlaskForm):
    allow = SubmitField(lazy_gettext("Allow"))
    deny = SubmitField(lazy_gettext("Deny"))
--- a/tests/views/test_user.py
+++ b/tests/views/test_user.py
@ -114,6 +114,29 @@ def test_login_flash(client, seeder, utils):
    )


+def test_forgot_reset_flash(client, seeder, utils):
+    email = "test@test.de"
+    password = "MeinPasswortIstDasBeste"
+    seeder.create_user(email, password, confirm=False)
+
+    response = client.get("/login")
+    assert response.status_code == 200
+
+    with client:
+        response = client.post(
+            "/reset",
+            data={
+                "email": email,
+                "csrf_token": utils.get_csrf(response),
+                "submit": "Passwort wiederherstellen",
+            },
+        )
+
+    utils.assert_response_error_message(
+        response, "Beachte, dass du deine E-Mail-Adresse bestätigen muss."
+    )
+
+
@pytest.mark.parametrize("db_error", [True, False])
@pytest.mark.parametrize("non_match", [True, False])
 def test_user_request_deletion(