old user, first registration. cleaner

core/views/user_registration.py

@@ -162,30 +162,33 @@ def register(request, url_username=None):
     else:
         form = register_form(initial=initial_values)
     
- 
-
     if request.method == "POST":
         form = register_form(request.POST)
         if form.is_valid():
-            print("POST VALID")
+            print("POST VALID") # so now username and email fields are readonly
             un = form.cleaned_data["username"]
             pw= form.cleaned_data["password1"]
             email = form.cleaned_data["email"]
             expoers = User.objects.filter(username=un)
-            if len(expoers) != 0:            
-                # this is a password re-set, not a new registration. So we need to check it is the same person.
-                form_user = expoers[0]
-                if request.user != form_user:
-                    print(f"## UNAUTHORIZED Password reset ## {request.user} {form_user}")
-                    # return render(request, "login/register.html", {"form": form, "unauthorized": True}) 
+            # if this is LOGONABLE user and we are not logged on
+            # NOT just save the data ! Anyone could do  that..
+            # we are now in a state where password should only be re-set by email token
+            # but rather than redirect (off-putting) we just make the password fields read-only
+            if len(expoers) > 0:
+                form.fields["password1"].widget.attrs["readonly"]="readonly"
+                form.fields["password2"].widget.attrs["readonly"]="readonly"
+
             # create User in the system and refresh stored encrypted user list and git commit it:   
             updated_user = register_user(un, email, password=pw, pwhash=None)
             save_users(request, updated_user, email)
             # to do, login automatically, and redirect to control panel ?
-            return HttpResponseRedirect("/accounts/login/")
+            form.fields["username"].widget.attrs["readonly"]="readonly"
+            form.fields["email"].widget.attrs["readonly"]="readonly"
+            return render(request, "login/register.html", {"form": form, "email_stored": True}) 
+            # return HttpResponseRedirect("/accounts/login/")
     else: # GET
         pass
-    return render(request, "login/register.html", {"form": form, "warning": warning, "logged_in": logged_in})    
+    return render(request, "login/register.html", {"form": form})    
 
 
 def save_users(request, updated_user, email="troggle@exposerver.expo"):
@@ -350,7 +353,13 @@ class register_form(forms.Form):  # not a model-form, just a form-form
             ) 
         email = cleaned_data.get("email")
         users = User.objects.filter(email=email)
-        if len(users) != 0:
+        if len(users) > 1:
             raise ValidationError(
-                "Duplicate email address. Another registered user is already using this email address. Email addresses must be unique as that is how we reset forgotten passwords."
-            )              
+                f"Duplicate email address. Another registered user {users} is already using this email address. Email addresses must be unique as that is how we reset forgotten passwords."
+            )              
+        if len(users) == 1:
+            if users[0].username != un:
+                raise ValidationError(
+                    f"Duplicate email address. Another registered user '{users[0]}' is already using this email address. Email addresses must be unique as that is how we reset forgotten passwords."
+                    )
+