From 1ca4caa3a8f7e1a351747edd24c5a1ee281891be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C4=93teris=20Caune?= Date: Mon, 16 Nov 2020 14:29:52 +0200 Subject: [PATCH] Update the set_password view to use update_session_auth_hash Changing user's password logs themselves out. To avoid that, we were logging the user back in right after changing the password. I recently discovered update_session_auth_hash, which seems to be the proper way to do this. Docs: https://docs.djangoproject.com/en/3.1/topics/auth/default/#session-invalidation-on-password-change --- hc/accounts/views.py | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/hc/accounts/views.py b/hc/accounts/views.py index ca45e9df..666a16d1 100644 --- a/hc/accounts/views.py +++ b/hc/accounts/views.py @@ -8,7 +8,7 @@ from django.conf import settings from django.contrib import messages from django.contrib.auth import login as auth_login from django.contrib.auth import logout as auth_logout -from django.contrib.auth import authenticate +from django.contrib.auth import authenticate, update_session_auth_hash from django.contrib.auth.decorators import login_required from django.contrib.auth.models import User from django.core import signing @@ -480,10 +480,9 @@ def set_password(request, token): request.profile.token = "" request.profile.save() - # Setting a password logs the user out, so here we - # log them back in. - u = authenticate(username=request.user.email, password=password) - auth_login(request, u) + # update the session with the new password hash so that + # the user doesn't get logged out + update_session_auth_hash(request, request.user) messages.success(request, "Your password has been set!") return redirect("hc-profile")