How to manually send a reset-password email?

Question

I need to manually send a password reset email upen creating a new user. I followed the steps described here and created a drive-by HttpRequest (pwreset_request = HttpRequest()) to do so, but all I get in return to calling PasswordResetView.as_view()(pwreset_request) is a 403 because of an invalid CSRF token.

Despite that (and consequently getting that email) there are no errors on the page and everything is working fine.

from django.http import HttpResponseForbidden, HttpResponse, HttpRequest
from django.middleware.csrf import get_token

@login_required
@permission_required(["abonnenten.verlag_sachbearbeiter_fullaccess"])
def sachbearbeiter_create_or_edit(request, username=None):
    mode = "create" if username is None else "edit"

    if mode == "create":
        user = None
        sachbearbeiter = None
    else:
        user = get_object_or_404(User, username=username)
        sachbearbeiter = user.sachbearbeiter

        if user.is_superuser or user.is_staff:
            raise PermissionDenied

    user_form = UserForm(request.POST or None, instance=user)
    sachbearbeiter_form = SachbearbeiterForm(request.POST or None, instance=sachbearbeiter)

    if request.method == 'POST':
        if mode == "create":
            if user_form.is_valid() and sachbearbeiter_form.is_valid():
                user = user_form.save(commit=False)
                user.email = user.username
                user.save()
                sachbearbeiter = sachbearbeiter_form.save(commit=False)
                sachbearbeiter.user = user
                sachbearbeiter.save()

                # Manually send password reset mail
                # TODO Fix this shit (403)
                pwreset_request = HttpRequest()
                pwreset_request.method = 'POST'
                pwreset_request.META['HTTP_HOST'] = request.META['HTTP_HOST']
                pwreset_request.POST = {'email': user.email, 'csrfmiddlewaretoken': get_token(HttpRequest())}
                PasswordResetView.as_view()(pwreset_request)

                messages.success(request, 'Der Datensatz wurde erfolgreich gespeichert.')
                return redirect('sachbearbeiter_edit', username=user.username)
        elif mode == "edit":
            if user_form.is_valid() and sachbearbeiter_form.is_valid():
                user = user_form.save(commit=False)
                user.email = user.username
                user.save()
                sachbearbeiter_form.save()
                messages.success(request, 'Der Datensatz wurde erfolgreich gespeichert.')
                return redirect('sachbearbeiter_edit', username=user.username)
        else:
            raise ValueError("Variable `mode` must be 'create' or 'edit'")

    return render(request,
                  'sachbearbeiter/edit_or_create.html',
                  {'mode': mode,
                   'user': user,
                   'user_form': user_form,
                   'sachbearbeiter_form': sachbearbeiter_form})

Any ideas how to fix that?

Answer 1

Why creating by hand a new Request object, calling the password reset view, when you can just use the PasswordResetForm used by this view ?

So replace all your code below:

# Manually send password reset mail
# TODO Fix this shit (403)
pwreset_request = HttpRequest()
pwreset_request.method = 'POST'
pwreset_request.META['HTTP_HOST'] = request.META['HTTP_HOST']
pwreset_request.POST = {'email': user.email, 'csrfmiddlewaretoken': get_token(HttpRequest())}
PasswordResetView.as_view()(pwreset_request)

By this code:

from django.contrib.auth.forms import PasswordResetForm

reset_password_form = PasswordResetForm(data={'email': user.email})
if reset_password_form.is_valid():
     reset_password_form.save(request=request) # The save method will send the email