From: Jeremy Kerr <jk@ozlabs.org>
Date: Thu, 11 Sep 2008 06:42:26 +0000 (+1000)
Subject: Don't just rely on random for UserPersonConfirmation keys
X-Git-Url: https://git.ozlabs.org/?p=patchwork;a=commitdiff_plain;h=a72679a9622db66e828e86377f29c9c0c6574d69;hp=0deabd4014cbc9419d203356786e966c4f803ea3

Don't just rely on random for UserPersonConfirmation keys

It looks like we're getting identical keys generated for confirmation
keys. Problem has been reported to django, but in the meantime, salt
with the user and email details, then sha1 to give the final key.

This requires an increase in the field size for key, migration script
included.

Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
---

diff --git a/apps/patchwork/models.py b/apps/patchwork/models.py
index 226a69c..e516be2 100644
--- a/apps/patchwork/models.py
+++ b/apps/patchwork/models.py
@@ -129,35 +129,6 @@ class UserProfile(models.Model):
     def __str__(self):
         return self.name()
 
-def _confirm_key():
-    allowedchars = string.ascii_lowercase + string.digits
-    str = ''
-    for i in range(1, 32):
-        str += random.choice(allowedchars)
-    return str;
-
-class UserPersonConfirmation(models.Model):
-    user = models.ForeignKey(User)
-    email = models.CharField(max_length = 200)
-    key = models.CharField(max_length = 32, default = _confirm_key)
-    date = models.DateTimeField(default=datetime.datetime.now)
-    active = models.BooleanField(default = True)
-
-    def confirm(self):
-        if not self.active:
-            return
-        person = None
-        try:
-            person = Person.objects.get(email = self.email)
-        except Exception:
-            pass
-        if not person:
-            person = Person(email = self.email)
-
-        person.link_to_user(self.user)
-        person.save()
-        self.active = False
-
 class State(models.Model):
     name = models.CharField(max_length = 100)
     ordering = models.IntegerField(unique = True)
@@ -316,3 +287,33 @@ class Bundle(models.Model):
         return '\n'.join([p.mbox().as_string(True) \
                         for p in self.patches.all()])
 
+class UserPersonConfirmation(models.Model):
+    user = models.ForeignKey(User)
+    email = models.CharField(max_length = 200)
+    key = HashField()
+    date = models.DateTimeField(default=datetime.datetime.now)
+    active = models.BooleanField(default = True)
+
+    def confirm(self):
+        if not self.active:
+            return
+        person = None
+        try:
+            person = Person.objects.get(email = self.email)
+        except Exception:
+            pass
+        if not person:
+            person = Person(email = self.email)
+
+        person.link_to_user(self.user)
+        person.save()
+        self.active = False
+
+    def save(self):
+        max = 1 << 32
+        if self.key == '':
+            str = '%s%s%d' % (self.user, self.email, random.randint(0, max))
+            self.key = self._meta.get_field('key').construct(str).hexdigest()
+        super(UserPersonConfirmation, self).save()
+
+
diff --git a/lib/sql/migration/002-extend-userpersonconfirmation-key-length.sql b/lib/sql/migration/002-extend-userpersonconfirmation-key-length.sql
new file mode 100644
index 0000000..fa10fba
--- /dev/null
+++ b/lib/sql/migration/002-extend-userpersonconfirmation-key-length.sql
@@ -0,0 +1,4 @@
+BEGIN;
+ALTER TABLE patchwork_userpersonconfirmation
+        ALTER COLUMN key TYPE char(40);
+COMMIT;