password history: just limit the result set range to simplify iteration logic

ff8a0c68 · Chris Dodge · d5bb1b5c · ff8a0c68 · ff8a0c68
Commit ff8a0c68 authored Mar 24, 2014 by Chris Dodge
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 14 deletions

common/djangoapps/student/models.py
+11 -13

lms/templates/registration/password_reset_confirm.html
+5 -1

No files found.
--- a/common/djangoapps/student/models.py
+++ b/common/djangoapps/student/models.py
@@ -453,23 +453,20 @@ class PasswordHistory(models.Model):
        if not settings.FEATURES['ADVANCED_SECURITY']:
            return True

-        min_diff_passwords_required = 0
-        if user.is_staff:
-            if cls.is_staff_password_reuse_restricted():
+        if user.is_staff and cls.is_staff_password_reuse_restricted():
                min_diff_passwords_required = \
                    settings.ADVANCED_SECURITY_CONFIG['MIN_DIFFERENT_STAFF_PASSWORDS_BEFORE_REUSE']
        elif cls.is_student_password_reuse_restricted():
            min_diff_passwords_required = \
                settings.ADVANCED_SECURITY_CONFIG['MIN_DIFFERENT_STUDENT_PASSWORDS_BEFORE_REUSE']
+        else:
+            min_diff_passwords_required = 0

-        history = PasswordHistory.objects.filter(user=user).order_by('-time_set')
-
-        reuse_distance = 0
+        # just limit the result set to the number of different
+        # password we need
+        history = PasswordHistory.objects.filter(user=user).order_by('-time_set')[:min_diff_passwords_required]

        for entry in history:
-            # did we reach the minimum amount of intermediate different passwords?
-            if reuse_distance >= min_diff_passwords_required:
-                return True

            # be sure to re-use the same salt
            # NOTE, how the salt is serialized in the password field is dependent on the algorithm
@@ -483,12 +480,13 @@ class PasswordHistory(models.Model):
            else:
                # This means we got something unexpected. We don't want to throw an exception, but
                # log as an error and basically allow any password reuse
-                AUDIT_LOG.error('Unknown password hashing algorithm "{0}" found in existing password hash, password reuse policy will not be enforced!!!'.format(algorithm))
+                AUDIT_LOG.error('''
+                                Unknown password hashing algorithm "{0}" found in existing password
+                                hash, password reuse policy will not be enforced!!!
+                                '''.format(algorithm))
                return True

-            if entry.password != hashed_password:
-                reuse_distance +=  1
-            else:
+            if entry.password == hashed_password:
                return False

        return True

--- a/lms/templates/registration/password_reset_confirm.html
+++ b/lms/templates/registration/password_reset_confirm.html
@@ -86,7 +86,11 @@
          </h3>
        </div>

-        <div role="alert" class="status message submission-error" style="display: {% if err_msg %}block{% else %}None{% endif %}">
+        {% if err_msg %}
+        <div role="alert" class="status message submission-error" style="display: block;">
+        {% else %}
+        <div role="alert" class="status message submission-error" style="display: none;">
+        {% endif %}
          <h3 class="message-title">{% trans "The following errors occurred while processing your registration: " %}</h3>
          <ul class="message-copy">
            {% if err_msg %}