Fixed wrong permission/auth check for set password

This commit is contained in:
FinnStutzenstein 2019-11-11 07:07:19 +01:00
parent d248f5fbc1
commit 427b17a3e9
2 changed files with 82 additions and 3 deletions

View File

@ -843,9 +843,9 @@ class SetPasswordView(APIView):
def post(self, request, *args, **kwargs):
user = request.user
if not (
has_perm(user, "users.can_change_password")
or has_perm(user, "users.can_manage")
if (
not user.is_authenticated
or not has_perm(user, "users.can_change_password")
or user.auth_type != "default"
):
self.permission_denied(request)

View File

@ -1,4 +1,5 @@
import pytest
from django.contrib.auth.models import Permission
from django.core import mail
from django.urls import reverse
from rest_framework import status
@ -291,6 +292,84 @@ class UserPassword(TestCase):
)
)
def test_set(self):
response = self.admin_client.post(
reverse("user_setpassword"),
{
"old_password": "admin",
"new_password": "new_password_eiki5eiCoozethahhief",
},
)
self.assertEqual(response.status_code, status.HTTP_200_OK)
admin = User.objects.get()
self.assertTrue(admin.check_password("new_password_eiki5eiCoozethahhief"))
def test_set_no_manage_perms(self):
admin = User.objects.get()
admin.groups.add(GROUP_DELEGATE_PK)
admin.groups.remove(GROUP_ADMIN_PK)
inform_changed_data(admin)
response = self.admin_client.post(
reverse("user_setpassword"),
{
"old_password": "admin",
"new_password": "new_password_ou0wei3tae5ahr7oa1Fu",
},
)
self.assertEqual(response.status_code, status.HTTP_200_OK)
admin = User.objects.get()
self.assertTrue(admin.check_password("new_password_ou0wei3tae5ahr7oa1Fu"))
def test_set_no_can_change_password(self):
admin = User.objects.get()
admin.groups.add(GROUP_DELEGATE_PK)
admin.groups.remove(GROUP_ADMIN_PK)
can_change_password_permission = Permission.objects.get(
content_type__app_label="users", codename="can_change_password"
)
delegate_group = Group.objects.get(pk=GROUP_DELEGATE_PK)
delegate_group.permissions.remove(can_change_password_permission)
inform_changed_data(delegate_group)
inform_changed_data(admin)
response = self.admin_client.post(
reverse("user_setpassword"),
{
"old_password": "admin",
"new_password": "new_password_Xeereehahzie3Oochere",
},
)
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
admin = User.objects.get()
self.assertTrue(admin.check_password("admin"))
def test_set_wrong_auth_type(self):
admin = User.objects.get()
admin.auth_type = "something_else"
admin.save()
response = self.admin_client.post(
reverse("user_setpassword"),
{
"old_password": "admin",
"new_password": "new_password_dau2ahng3Ahgha7yee8o",
},
)
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
admin = User.objects.get()
self.assertTrue(admin.check_password("admin"))
def test_set_anonymous_user(self):
config["general_system_enable_anonymous"] = True
guest_client = APIClient()
response = guest_client.post(
reverse("user_setpassword"),
{
"old_password": "admin",
"new_password": "new_password_SeeRieThahlaaf6cu8Oz",
},
)
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
def test_set_random_initial_password(self):
"""
Tests whether a random password is set if no default password is given. The password