How about doing the check in PasswordChangeBase.to_python which is shared between all the forms usage? If we're lucky the existing error handling will just work too, and can clean up the url repetion for failure_redirect_url. And if you're able to undo the changes to controllers, that'll avoid conflicts with my TurboGears changes which tweaked controllers calling to_python.
Careful adding __future__ to existing files, it may change behavior. Seems to be ok here though.
User-Agent should probably use config['site_name']
hibp_password_check config should go in development.ini rather than docker-dev, and add an explanation for it.
Fixup pushed. As discussed, I originally considered placing this in PasswordChangeBase, but that felt like too "core" of an area for it; also, placing the checks in the controller allows the controller to determine how to react, rather than it being an immutable behavior.
All set in new fixup.
Log in to post a comment.