altf4arnold/datatracker
1
0
Fork 0
Code Issues Pull requests Actions 3 Packages Projects Releases Wiki Activity

fix: do not set user template var in ietfauth views (#4216)

Browse source 
Lets the `user` variable pick up `request.user`.
Fixes #3568
This commit is contained in:
Jennifer Richards 2022-07-15 15:37:25 -03:00 committed by GitHub
parent 10e251fab8
commit 067ae17b4e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 25 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
ietf/ietfauth/tests.py
View file

@ -37,7 +37,7 @@ from ietf.ietfauth.htpasswd import update_htpasswd_file
from ietf.mailinglists.models import Subscribed from ietf.mailinglists.models import Subscribed
from ietf.meeting.factories import MeetingFactory from ietf.meeting.factories import MeetingFactory
from ietf.nomcom.factories import NomComFactory from ietf.nomcom.factories import NomComFactory
from ietf.person.factories import PersonFactory, EmailFactory from ietf.person.factories import PersonFactory, EmailFactory, UserFactory
from ietf.person.models import Person, Email, PersonalApiKey from ietf.person.models import Person, Email, PersonalApiKey
from ietf.review.factories import ReviewRequestFactory, ReviewAssignmentFactory from ietf.review.factories import ReviewRequestFactory, ReviewAssignmentFactory
from ietf.review.models import ReviewWish, UnavailablePeriod from ietf.review.models import ReviewWish, UnavailablePeriod
@ -433,10 +433,20 @@ class IetfAuthTests(TestCase):
self.assertEqual(r.status_code, 200) self.assertEqual(r.status_code, 200)
self.assertEqual(len(outbox), 1) self.assertEqual(len(outbox), 1)
# go to change password page # goto change password page, logged in as someone else
confirm_url = self.extract_confirm_url(outbox[-1]) confirm_url = self.extract_confirm_url(outbox[-1])
other_user = UserFactory()
self.client.login(username=other_user.username, password=other_user.username + '+password')
r = self.client.get(confirm_url)
self.assertEqual(r.status_code, 403)
# sign out and go back to change password page
self.client.logout()
r = self.client.get(confirm_url) r = self.client.get(confirm_url)
self.assertEqual(r.status_code, 200) self.assertEqual(r.status_code, 200)
q = PyQuery(r.content)
self.assertNotIn(user.username, q('.nav').text(),
'user should not appear signed in while resetting password')
# password mismatch # password mismatch
r = self.client.post(confirm_url, { 'password': 'secret', 'password_confirmation': 'nosecret' }) r = self.client.post(confirm_url, { 'password': 'secret', 'password_confirmation': 'nosecret' })

17
ietf/ietfauth/views.py
View file

@ -55,7 +55,7 @@ from django.contrib.sites.models import Site
from django.core.exceptions import ObjectDoesNotExist, ValidationError from django.core.exceptions import ObjectDoesNotExist, ValidationError
from django.urls import reverse as urlreverse from django.urls import reverse as urlreverse
from django.utils.safestring import mark_safe from django.utils.safestring import mark_safe
from django.http import Http404, HttpResponseRedirect #, HttpResponse, from django.http import Http404, HttpResponseRedirect, HttpResponseForbidden
from django.shortcuts import render, redirect, get_object_or_404 from django.shortcuts import render, redirect, get_object_or_404
from django.utils.encoding import force_bytes from django.utils.encoding import force_bytes
@ -303,7 +303,6 @@ def profile(request):
person_form = get_person_form(instance=person) person_form = get_person_form(instance=person)
return render(request, 'registration/edit_profile.html', { return render(request, 'registration/edit_profile.html', {
'user': request.user,
'person': person, 'person': person,
'person_form': person_form, 'person_form': person_form,
'roles': roles, 'roles': roles,
@ -462,7 +461,11 @@ def confirm_password_reset(request, auth):
raise Http404("Invalid or expired auth") raise Http404("Invalid or expired auth")
user = get_object_or_404(User, username=username, password__endswith=password, last_login=last_login) user = get_object_or_404(User, username=username, password__endswith=password, last_login=last_login)
if request.user.is_authenticated and request.user != user:
return HttpResponseForbidden(
f'This password reset link is not for the signed-in user. '
f'Please <a href="{urlreverse("django.contrib.auth.views.logout")}">sign out</a> and try again.'
)
success = False success = False
if request.method == 'POST': if request.method == 'POST':
form = PasswordForm(request.POST) form = PasswordForm(request.POST)
@ -483,7 +486,7 @@ def confirm_password_reset(request, auth):
hasher = getattr(hlib, hashername) hasher = getattr(hlib, hashername)
return render(request, 'registration/change_password.html', { return render(request, 'registration/change_password.html', {
'form': form, 'form': form,
'user': user, 'update_user': user,
'success': success, 'success': success,
'hasher': hasher, 'hasher': hasher,
}) })
@ -647,7 +650,6 @@ def change_password(request):
hasher = getattr(hlib, hashername) hasher = getattr(hlib, hashername)
return render(request, 'registration/change_password.html', { return render(request, 'registration/change_password.html', {
'form': form, 'form': form,
'user': user,
'success': success, 'success': success,
'hasher': hasher, 'hasher': hasher,
}) })
@ -685,10 +687,7 @@ def change_username(request):
else: else:
form = ChangeUsernameForm(request.user) form = ChangeUsernameForm(request.user)
return render(request, 'registration/change_username.html', { return render(request, 'registration/change_username.html', {'form': form})
'form': form,
'user': user,
})

5
ietf/templates/registration/change_password.html
View file

@ -24,6 +24,11 @@
{% endif %} {% endif %}
{% else %} {% else %}
<h1>Change password</h1> <h1>Change password</h1>
{% if update_user and update_user != user %}
<div class="alert alert-info my-3">
This will change the password for user {{ update_user }}.
</div>
{% endif %}
<form method="post" class="my-3"> <form method="post" class="my-3">
{% csrf_token %} {% csrf_token %}
{% bootstrap_form form %} {% bootstrap_form form %}