www.gittip.com/www/on/take-over.html

from aspen import Response
from gittip.elsewhere.bitbucket import BitbucketAccount
from gittip.elsewhere.github import GitHubAccount
from gittip.elsewhere.twitter import TwitterAccount

# ====== ^L
if user.ANON or not POST:
    raise Response(404)

platform = body['platform']
if platform not in ('github', 'twitter', 'bitbucket'):
    raise Response(400, "bad platform: %s" % platform)

user_id = body['user_id']
if not user_id:
    raise Response(400, "no user_id")


# Look for a connect_token.
# =========================
# CSRF isn't enough to protect against unauthorized take_overs. Someone need
# only find their own CSRF header and use that. We need a token specific to the
# connection request.

connect_key = (user.username, platform, user_id)
expected = website.connect_tokens.pop(connect_key, None)
actual = body.get('connect_token')
if expected is None or actual != expected:
    msg = str("Is %s gaming us? %s:%s" % (user.username, expected, actual))
    raise Response(400, msg)


if platform == 'bitbucket':
    Account = BitbucketAccount
elif platform == 'github':
    Account = GitHubAccount
elif platform == 'twitter':
    Account = TwitterAccount

account = Account(user_id)
user.take_over(account, have_confirmation=True)
request.redirect('/about/me.html')

# ====== ^L