
    g                     (    d dl mZ d dlmZ defdZy)    )app_settings)EmailAddressemailc                 @   	 t         j                  j                  ||      }|r|j                  ry|j                         r#|j                          |j                  dg       t        j                  rddl
m}  || |       yy# t         j                  $ r d}Y zw xY w)ax  
    Consider a scenario where an attacker signs up for an account using the
    email address of a victim. Obviously, the email address cannot be
    verified, yet the attacker -- knowing the password -- can wait until the
    victim appears.  When the victim signs in using email authentication, it
    is not obvious that the victim is signing into an account that was not
    created by the victim. As a result, both the attacker and the victim now
    have access to the account. To prevent this, we wipe the password of the
    account in case the email address was not verified, effectively locking
    out the attacker.
    Npassword)update_fieldsr   )end_other_sessions)r   objectsget_for_userDoesNotExistverifiedhas_usable_passwordset_unusable_passwordsaveallauth_settingsUSERSESSIONS_ENABLED,allauth.usersessions.internal.flows.sessionsr	   )requestuserr   addressr	   s        v/var/www/django_project/virt/lib/python3.12/site-packages/allauth/socialaccount/internal/flows/email_authentication.pywipe_passwordr      s    &&33D%@ 7##!""$			- ,,	
 	7D) - $$ s    B BBN)allauthr   r   allauth.account.modelsr   strr        r   <module>r      s    4 /* *r   