fix: improve api key delete form validation and tests (#5236)

2023-02-28 11:54:45 -06:00 · 2023-02-28 11:54:45 -06:00 · 74990cfcb8
parent 9a1de57c9e
commit 74990cfcb8
2 changed files with 15 additions and 3 deletions
--- a/ietf/ietfauth/tests.py
+++ b/ietf/ietfauth/tests.py
@ -39,7 +39,7 @@ from ietf.ietfauth.utils import has_role
 from ietf.mailinglists.models import Subscribed
 from ietf.meeting.factories import MeetingFactory
 from ietf.nomcom.factories import NomComFactory
-from ietf.person.factories import PersonFactory, EmailFactory, UserFactory
+from ietf.person.factories import PersonFactory, EmailFactory, UserFactory, PersonalApiKeyFactory
 from ietf.person.models import Person, Email, PersonalApiKey
 from ietf.review.factories import ReviewRequestFactory, ReviewAssignmentFactory
 from ietf.review.models import ReviewWish, UnavailablePeriod
@ -723,8 +723,20 @@ class IetfAuthTests(TestCase):
        url = urlreverse('ietf.ietfauth.views.apikey_disable')
        r = self.client.get(url)

+        self.assertEqual(r.status_code, 200)
        self.assertContains(r, 'Disable a personal API key')
        self.assertContains(r, 'Key')
+
+        # Try to delete something that doesn't exist
+        r = self.client.post(url, {'hash': key.hash()+'bad'})
+        self.assertEqual(r.status_code, 200)
+        self.assertContains(r,"Key validation failed; key not disabled")
+
+        # Try to delete someone else's key
+        otherkey = PersonalApiKeyFactory()
+        r = self.client.post(url, {'hash': otherkey.hash()})
+        self.assertEqual(r.status_code, 200)
+        self.assertContains(r,"Key validation failed; key not disabled")
        
        # Delete a key
        r = self.client.post(url, {'hash': key.hash()})
--- a/ietf/ietfauth/views.py
+++ b/ietf/ietfauth/views.py
@ -781,7 +781,7 @@ def apikey_disable(request):
    #
    class KeyDeleteForm(forms.Form):
        hash = forms.ChoiceField(label='Key', choices=choices)
-        def clean_key(self):
+        def clean_hash(self):
            hash = force_bytes(self.cleaned_data['hash'])
            key = PersonalApiKey.validate_key(hash)
            if key and key.person == request.user.person:
@ -792,7 +792,7 @@ def apikey_disable(request):
    if request.method == 'POST':
        form = KeyDeleteForm(request.POST)
        if form.is_valid():
-            hash = force_bytes(form.data['hash'])
+            hash = force_bytes(form.cleaned_data['hash'])
            key = PersonalApiKey.validate_key(hash)
            key.valid = False
            key.save()