From 74990cfcb820a2e0a48f7294edbf85670d4f308b Mon Sep 17 00:00:00 2001
From: Robert Sparks <rjsparks@nostrum.com>
Date: Tue, 28 Feb 2023 11:54:45 -0600
Subject: [PATCH] fix: improve api key delete form validation and tests (#5236)

---
 ietf/ietfauth/tests.py | 14 +++++++++++++-
 ietf/ietfauth/views.py |  4 ++--
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/ietf/ietfauth/tests.py b/ietf/ietfauth/tests.py
index 4821bdb36..c5e2532c8 100644
--- a/ietf/ietfauth/tests.py
+++ b/ietf/ietfauth/tests.py
@@ -39,7 +39,7 @@ from ietf.ietfauth.utils import has_role
 from ietf.mailinglists.models import Subscribed
 from ietf.meeting.factories import MeetingFactory
 from ietf.nomcom.factories import NomComFactory
-from ietf.person.factories import PersonFactory, EmailFactory, UserFactory
+from ietf.person.factories import PersonFactory, EmailFactory, UserFactory, PersonalApiKeyFactory
 from ietf.person.models import Person, Email, PersonalApiKey
 from ietf.review.factories import ReviewRequestFactory, ReviewAssignmentFactory
 from ietf.review.models import ReviewWish, UnavailablePeriod
@@ -723,8 +723,20 @@ class IetfAuthTests(TestCase):
         url = urlreverse('ietf.ietfauth.views.apikey_disable')
         r = self.client.get(url)
 
+        self.assertEqual(r.status_code, 200)
         self.assertContains(r, 'Disable a personal API key')
         self.assertContains(r, 'Key')
+
+        # Try to delete something that doesn't exist
+        r = self.client.post(url, {'hash': key.hash()+'bad'})
+        self.assertEqual(r.status_code, 200)
+        self.assertContains(r,"Key validation failed; key not disabled")
+
+        # Try to delete someone else's key
+        otherkey = PersonalApiKeyFactory()
+        r = self.client.post(url, {'hash': otherkey.hash()})
+        self.assertEqual(r.status_code, 200)
+        self.assertContains(r,"Key validation failed; key not disabled")
         
         # Delete a key
         r = self.client.post(url, {'hash': key.hash()})
diff --git a/ietf/ietfauth/views.py b/ietf/ietfauth/views.py
index 01a43672d..b29b29321 100644
--- a/ietf/ietfauth/views.py
+++ b/ietf/ietfauth/views.py
@@ -781,7 +781,7 @@ def apikey_disable(request):
     #
     class KeyDeleteForm(forms.Form):
         hash = forms.ChoiceField(label='Key', choices=choices)
-        def clean_key(self):
+        def clean_hash(self):
             hash = force_bytes(self.cleaned_data['hash'])
             key = PersonalApiKey.validate_key(hash)
             if key and key.person == request.user.person:
@@ -792,7 +792,7 @@ def apikey_disable(request):
     if request.method == 'POST':
         form = KeyDeleteForm(request.POST)
         if form.is_valid():
-            hash = force_bytes(form.data['hash'])
+            hash = force_bytes(form.cleaned_data['hash'])
             key = PersonalApiKey.validate_key(hash)
             key.valid = False
             key.save()