# HG changeset patch
# User Marcin Kuzminski <marcin@rhodecode.com>
# Date 2017-10-06 13:19:36
# Node ID cae7e0e276ca845b9cd6babef0e16e5702f407ec
# Parent  de03feb20f1d6c2aa6fc71db847d5ad456487e8c

login: don't use request.params because it allows to passing multiple
values for GET which can confuse the system.

diff --git a/rhodecode/apps/login/views.py b/rhodecode/apps/login/views.py
--- a/rhodecode/apps/login/views.py
+++ b/rhodecode/apps/login/views.py
@@ -161,7 +161,7 @@ class LoginView(BaseAppView):
 
         try:
             self.session.invalidate()
-            form_result = login_form.to_python(self.request.params)
+            form_result = login_form.to_python(self.request.POST)
             # form checks for username/password, now we're authenticated
             headers = _store_user_in_session(
                 self.session,
@@ -170,7 +170,7 @@ class LoginView(BaseAppView):
             log.debug('Redirecting to "%s" after login.', c.came_from)
 
             audit_user = audit_logger.UserWrap(
-                username=self.request.params.get('username'),
+                username=self.request.POST.get('username'),
                 ip_addr=self.request.remote_addr)
             action_data = {'user_agent': self.request.user_agent}
             audit_logger.store_web(
@@ -189,7 +189,7 @@ class LoginView(BaseAppView):
             })
 
             audit_user = audit_logger.UserWrap(
-                username=self.request.params.get('username'),
+                username=self.request.POST.get('username'),
                 ip_addr=self.request.remote_addr)
             action_data = {'user_agent': self.request.user_agent}
             audit_logger.store_web(
@@ -257,13 +257,14 @@ class LoginView(BaseAppView):
 
         register_form = RegisterForm()()
         try:
-            form_result = register_form.to_python(self.request.params)
+
+            form_result = register_form.to_python(self.request.POST)
             form_result['active'] = auto_active
 
             if captcha.active:
                 response = submit(
-                    self.request.params.get('recaptcha_challenge_field'),
-                    self.request.params.get('recaptcha_response_field'),
+                    self.request.POST.get('recaptcha_challenge_field'),
+                    self.request.POST.get('recaptcha_response_field'),
                     private_key=captcha.private_key,
                     remoteip=get_ip_addr(self.request.environ))
                 if not response.is_valid:
@@ -326,13 +327,13 @@ class LoginView(BaseAppView):
             password_reset_form = PasswordResetForm()()
             try:
                 form_result = password_reset_form.to_python(
-                    self.request.params)
+                    self.request.POST)
                 user_email = form_result['email']
 
                 if captcha.active:
                     response = submit(
-                        self.request.params.get('recaptcha_challenge_field'),
-                        self.request.params.get('recaptcha_response_field'),
+                        self.request.POST.get('recaptcha_challenge_field'),
+                        self.request.POST.get('recaptcha_response_field'),
                         private_key=captcha.private_key,
                         remoteip=get_ip_addr(self.request.environ))
                     if not response.is_valid:
@@ -375,7 +376,7 @@ class LoginView(BaseAppView):
                     'defaults': errors.value,
                     'errors': errors.error_dict,
                 })
-                if not self.request.params.get('email'):
+                if not self.request.POST.get('email'):
                     # case of empty email, we want to report that
                     return render_ctx