python - Django CSRF Error PW Reset and Login -
i'm using django.contrib.auth.views password reset.
i csrf error when try submit password change form.
it lets me enter email, sends me link uidb64 , token, , lets me enter new password twice. when submit password_reset_confirm form csrf invalid error.
here template password reset confirm:
<div class="reset-page"> <h3 class="reset-header">{% blocktrans %}reset password - step 2 of 2{% endblocktrans %}</h3> <form class="login-form" action="" method="post"> <div class='form'> {% csrf_token %} {% if validlink %} <input id="id_new_password1" name="new_password1" type="password" class="text-login" placeholder="password" /> <input id="id_new_password2" name="new_password2" type="password" class="text-login" placeholder="confirm password" /> <input type="submit" class="submit-login" value="{% trans 'submit' %}" /> {% if error_messages %} <p class="reset-error">error: {{ error_messages }}</p> {% endif %} {% else %} <p class="reset-bad-link">{% blocktrans %}error: reset link no longer valid!{% endblocktrans %}</p> {% endif %} </div> </form> <p class="reset-info">{% blocktrans %}enter new password, twice.{% endblocktrans %}</p> </div> i have no idea how debug this, appreciated greatly.
there isn't custom code, contrib views.
one last question, in source code of django.contrib.auth.views.password_reset_confirm says doesn't need csrf since noone can guess url. i've tried removing {% csrf_token %} tag , still didn't work. need or not?
edit:
the django.contrib.auth.views confirm view:
# doesn't need csrf_protect since no-one can guess url @sensitive_post_parameters() @never_cache def password_reset_confirm(request, uidb64=none, token=none, template_name='registration/password_reset_confirm.html', token_generator=default_token_generator, set_password_form=setpasswordform, post_reset_redirect=none, current_app=none, extra_context=none): """ view checks hash in password reset link , presents form entering new password. """ usermodel = get_user_model() assert uidb64 not none , token not none # checked urlconf if post_reset_redirect none: post_reset_redirect = reverse('password_reset_complete') else: post_reset_redirect = resolve_url(post_reset_redirect) try: # urlsafe_base64_decode() decodes bytestring on python 3 uid = force_text(urlsafe_base64_decode(uidb64)) user = usermodel._default_manager.get(pk=uid) except (typeerror, valueerror, overflowerror, usermodel.doesnotexist): user = none if user not none , token_generator.check_token(user, token): validlink = true title = _('enter new password') if request.method == 'post': form = set_password_form(user, request.post) if form.is_valid(): form.save() return httpresponseredirect(post_reset_redirect) else: form = set_password_form(user) else: validlink = false form = none title = _('password reset unsuccessful') context = { 'form': form, 'title': title, 'validlink': validlink, } if extra_context not none: context.update(extra_context) if current_app not none: request.current_app = current_app return templateresponse(request, template_name, context)
remove <div class='form'> tag. place {% csrf_token %} right after <form class="login-form" action="" method="post">.
Comments
Post a Comment