Fixed wrong permission/auth check for set password
This commit is contained in:
parent
d248f5fbc1
commit
427b17a3e9
@ -843,9 +843,9 @@ class SetPasswordView(APIView):
|
|||||||
|
|
||||||
def post(self, request, *args, **kwargs):
|
def post(self, request, *args, **kwargs):
|
||||||
user = request.user
|
user = request.user
|
||||||
if not (
|
if (
|
||||||
has_perm(user, "users.can_change_password")
|
not user.is_authenticated
|
||||||
or has_perm(user, "users.can_manage")
|
or not has_perm(user, "users.can_change_password")
|
||||||
or user.auth_type != "default"
|
or user.auth_type != "default"
|
||||||
):
|
):
|
||||||
self.permission_denied(request)
|
self.permission_denied(request)
|
||||||
|
@ -1,4 +1,5 @@
|
|||||||
import pytest
|
import pytest
|
||||||
|
from django.contrib.auth.models import Permission
|
||||||
from django.core import mail
|
from django.core import mail
|
||||||
from django.urls import reverse
|
from django.urls import reverse
|
||||||
from rest_framework import status
|
from rest_framework import status
|
||||||
@ -291,6 +292,84 @@ class UserPassword(TestCase):
|
|||||||
)
|
)
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def test_set(self):
|
||||||
|
response = self.admin_client.post(
|
||||||
|
reverse("user_setpassword"),
|
||||||
|
{
|
||||||
|
"old_password": "admin",
|
||||||
|
"new_password": "new_password_eiki5eiCoozethahhief",
|
||||||
|
},
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
||||||
|
admin = User.objects.get()
|
||||||
|
self.assertTrue(admin.check_password("new_password_eiki5eiCoozethahhief"))
|
||||||
|
|
||||||
|
def test_set_no_manage_perms(self):
|
||||||
|
admin = User.objects.get()
|
||||||
|
admin.groups.add(GROUP_DELEGATE_PK)
|
||||||
|
admin.groups.remove(GROUP_ADMIN_PK)
|
||||||
|
inform_changed_data(admin)
|
||||||
|
response = self.admin_client.post(
|
||||||
|
reverse("user_setpassword"),
|
||||||
|
{
|
||||||
|
"old_password": "admin",
|
||||||
|
"new_password": "new_password_ou0wei3tae5ahr7oa1Fu",
|
||||||
|
},
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
||||||
|
admin = User.objects.get()
|
||||||
|
self.assertTrue(admin.check_password("new_password_ou0wei3tae5ahr7oa1Fu"))
|
||||||
|
|
||||||
|
def test_set_no_can_change_password(self):
|
||||||
|
admin = User.objects.get()
|
||||||
|
admin.groups.add(GROUP_DELEGATE_PK)
|
||||||
|
admin.groups.remove(GROUP_ADMIN_PK)
|
||||||
|
can_change_password_permission = Permission.objects.get(
|
||||||
|
content_type__app_label="users", codename="can_change_password"
|
||||||
|
)
|
||||||
|
delegate_group = Group.objects.get(pk=GROUP_DELEGATE_PK)
|
||||||
|
delegate_group.permissions.remove(can_change_password_permission)
|
||||||
|
inform_changed_data(delegate_group)
|
||||||
|
inform_changed_data(admin)
|
||||||
|
|
||||||
|
response = self.admin_client.post(
|
||||||
|
reverse("user_setpassword"),
|
||||||
|
{
|
||||||
|
"old_password": "admin",
|
||||||
|
"new_password": "new_password_Xeereehahzie3Oochere",
|
||||||
|
},
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
||||||
|
admin = User.objects.get()
|
||||||
|
self.assertTrue(admin.check_password("admin"))
|
||||||
|
|
||||||
|
def test_set_wrong_auth_type(self):
|
||||||
|
admin = User.objects.get()
|
||||||
|
admin.auth_type = "something_else"
|
||||||
|
admin.save()
|
||||||
|
response = self.admin_client.post(
|
||||||
|
reverse("user_setpassword"),
|
||||||
|
{
|
||||||
|
"old_password": "admin",
|
||||||
|
"new_password": "new_password_dau2ahng3Ahgha7yee8o",
|
||||||
|
},
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
||||||
|
admin = User.objects.get()
|
||||||
|
self.assertTrue(admin.check_password("admin"))
|
||||||
|
|
||||||
|
def test_set_anonymous_user(self):
|
||||||
|
config["general_system_enable_anonymous"] = True
|
||||||
|
guest_client = APIClient()
|
||||||
|
response = guest_client.post(
|
||||||
|
reverse("user_setpassword"),
|
||||||
|
{
|
||||||
|
"old_password": "admin",
|
||||||
|
"new_password": "new_password_SeeRieThahlaaf6cu8Oz",
|
||||||
|
},
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
||||||
|
|
||||||
def test_set_random_initial_password(self):
|
def test_set_random_initial_password(self):
|
||||||
"""
|
"""
|
||||||
Tests whether a random password is set if no default password is given. The password
|
Tests whether a random password is set if no default password is given. The password
|
||||||
|
Loading…
Reference in New Issue
Block a user