我使用django.contrib.auth.views进行密码重置。
当我尝试提交密码更改表单时,我收到了CSRF错误。
它允许我输入我的电子邮件,向我发送uidb64和令牌的链接,然后让我输入两次新密码。当我提交此password_reset_confirm表单时,我收到CSRF无效错误。
这是我的密码重置确认模板:
<div class="reset-page">
<h3 class="reset-header">{% blocktrans %}Reset Password - Step 2 of 2{% endblocktrans %}</h3>
<form class="login-form" action="" method="post">
<div class='form'>
{% csrf_token %}
{% if validlink %}
<input id="id_new_password1" name="new_password1" type="password" class="text-login" placeholder="Password" />
<input id="id_new_password2" name="new_password2" type="password" class="text-login" placeholder="Confirm Password" />
<input type="submit" class="submit-login" value="{% trans 'Submit' %}" />
{% if error_messages %}
<p class="reset-error">Error: {{ error_messages }}</p>
{% endif %}
{% else %}
<p class="reset-bad-link">{% blocktrans %}Error: This reset link is no longer valid!{% endblocktrans %}</p>
{% endif %}
</div>
</form>
<p class="reset-info">{% blocktrans %}Enter your new password, twice.{% endblocktrans %}</p>
</div>
我不知道如何调试这个,非常感谢帮助。
没有任何自定义代码,只有contrib视图。
最后一个问题,在django.contrib.auth.views.password_reset_confirm的源代码中,它表示它不需要CSRF,因为没有人可以猜到URL。我已尝试删除{%csrf_token%}标记,但仍无法正常工作。我需要与否吗?
编辑:
django.contrib.auth.views确认视图:
# Doesn't need csrf_protect since no-one can guess the URL
@sensitive_post_parameters()
@never_cache
def password_reset_confirm(request, uidb64=None, token=None,
template_name='registration/password_reset_confirm.html',
token_generator=default_token_generator,
set_password_form=SetPasswordForm,
post_reset_redirect=None,
current_app=None, extra_context=None):
"""
View that checks the hash in a password reset link and presents a
form for entering a new password.
"""
UserModel = get_user_model()
assert uidb64 is not None and token is not None # checked by URLconf
if post_reset_redirect is None:
post_reset_redirect = reverse('password_reset_complete')
else:
post_reset_redirect = resolve_url(post_reset_redirect)
try:
# urlsafe_base64_decode() decodes to bytestring on Python 3
uid = force_text(urlsafe_base64_decode(uidb64))
user = UserModel._default_manager.get(pk=uid)
except (TypeError, ValueError, OverflowError, UserModel.DoesNotExist):
user = None
if user is not None and token_generator.check_token(user, token):
validlink = True
title = _('Enter new password')
if request.method == 'POST':
form = set_password_form(user, request.POST)
if form.is_valid():
form.save()
return HttpResponseRedirect(post_reset_redirect)
else:
form = set_password_form(user)
else:
validlink = False
form = None
title = _('Password reset unsuccessful')
context = {
'form': form,
'title': title,
'validlink': validlink,
}
if extra_context is not None:
context.update(extra_context)
if current_app is not None:
request.current_app = current_app
return TemplateResponse(request, template_name, context)
答案 0 :(得分:0)
删除<div class='form'>标记。
在{% csrf_token %}之后放置<form class="login-form" action="" method="post">。