Merge pull request #112 from Aerstone/master

Add support for keeping the user logged in after password change (Django 1.7+)

Author: mateusz-sikora

docs/api_endpoints.rst

@@ -30,9 +30,10 @@ Basic
     - new_password1
     - new_password2
     - old_password
-    
-    
+
+
     .. note:: ``OLD_PASSWORD_FIELD_ENABLED = True`` to use old_password.
+    .. note:: ``LOGOUT_ON_PASSWORD_CHANGE = False`` to keep the user logged in after password change
 
 - /rest-auth/user/ (GET)
 

docs/configuration.rst

@@ -34,3 +34,5 @@ Configuration
 
 
 - **OLD_PASSWORD_FIELD_ENABLED** - set it to True if you want to have old password verification on password change enpoint (default: False)
+
+- **LOGOUT_ON_PASSWORD_CHANGE** - set to False if you want to keep the current user logged in after a password change

rest_auth/serializers.py

@@ -12,6 +12,7 @@
 from rest_framework import serializers, exceptions
 from rest_framework.authtoken.models import Token
 from rest_framework.exceptions import ValidationError
+from django.contrib.auth import update_session_auth_hash
 
 
 class LoginSerializer(serializers.Serializer):
@@ -182,6 +183,9 @@ def __init__(self, *args, **kwargs):
         self.old_password_field_enabled = getattr(
             settings, 'OLD_PASSWORD_FIELD_ENABLED', False
         )
+        self.logout_on_password_change = getattr(
+            settings, 'LOGOUT_ON_PASSWORD_CHANGE', False
+        )
         super(PasswordChangeSerializer, self).__init__(*args, **kwargs)
 
         if not self.old_password_field_enabled:
@@ -212,3 +216,5 @@ def validate(self, attrs):
 
     def save(self):
         self.set_password_form.save()
+        if not self.logout_on_password_change:
+            update_session_auth_hash(self.request, self.user)