Create a new password in django

Question

I had password change form like below

forms.py

class PasswordChangeForm(forms.Form):
    old_password = forms.CharField(widget=forms.PasswordInput())
    new_password = forms.CharField(widget=forms.PasswordInput())
    confirm_password = forms.CharField(widget=forms.PasswordInput())

    def clean(self):
        if self.cleaned_data['new_password'] != self.cleaned_data['confirm_password']:
            raise forms.ValidationError(_('The new passwords must be same'))
        else:
            return self.cleaned_data

template.html

<form action="/save/data/" method="post">
   <div>
      <p>{{form.old_password}}</p>
      <span>{{form.old_password.errors}}</span>
   </div>
   <div>
      <p>{{form.new_password}}</p>
      <span>{{form.new_password.errors}}</span>
   </div>
   <div>
       <p>{{form.confirm_password}}</p>
      <span>{{form.confirm_password.errors}}</span>
   </div>
</form>

views.py

@login_required 
def change_password(request):
    user_obj = User.objects.get(id=request.user.id)
    form = PasswordChangeForm()
    if request.method=="POST":
        form = PasswordChangeForm(reques.POST)
        #########
        Here in this part i need to check if the user given old passoword
        matched the already saved password in the database, create a password
        with the user given new password
        #########
        new_password = form.cleaned_data['new_password']
        ......
        user_obj.password = new_password 
        ..........
    return render_to_response('template.html',{'form':form})       

So in the above code, how can we check the password saved in the database with the old password given by the user ?, Also how can we create the new password and sve in to the database ?

After that send an email to user, that ur password has been changed successfully

Answer 1

You have the user object. So you can just call it's set_password method.

request.user.set_password(password) 

Also, you don't need to get the user again from the database. You're making an unnecessary DB request. request.user is the user.

I would rewrite the entire view like so,

from django.shortcuts import render

@login_required 
def change_password(request):
form = PasswordChangeForm(request.POST or None)
if form.is_valid()
    if request.user.check_password(form.cleaned_data['old_password']):
        request.user.set_password(form.cleaned_data['new_password'])
        request.user.save()
        return render(request, 'success.html')
return render(request, 'template.html', {'form':form})

This means that if there is POST data you initialise the form with it. Otherwise it gets None. If the form is valid (which an empty form never will be) then you do the password change and send them to a success page. Otherwise you return the empty form (or the form with the validation errors) to the user.

Answer 2

you can check via check_password method.

if request.user.check_password(form.cleaned_data['old_password']):
    request.user.set_password(form.cleaned_data['new_password'])
    request.user.save()