From 427b17a3e9c4ce6d9571dd6b8b5fddcfccb7ee84 Mon Sep 17 00:00:00 2001 From: FinnStutzenstein Date: Mon, 11 Nov 2019 07:07:19 +0100 Subject: [PATCH] Fixed wrong permission/auth check for set password --- openslides/users/views.py | 6 +- tests/integration/users/test_viewset.py | 79 +++++++++++++++++++++++++ 2 files changed, 82 insertions(+), 3 deletions(-) diff --git a/openslides/users/views.py b/openslides/users/views.py index 2ef30d62a..53e60733e 100644 --- a/openslides/users/views.py +++ b/openslides/users/views.py @@ -843,9 +843,9 @@ class SetPasswordView(APIView): def post(self, request, *args, **kwargs): user = request.user - if not ( - has_perm(user, "users.can_change_password") - or has_perm(user, "users.can_manage") + if ( + not user.is_authenticated + or not has_perm(user, "users.can_change_password") or user.auth_type != "default" ): self.permission_denied(request) diff --git a/tests/integration/users/test_viewset.py b/tests/integration/users/test_viewset.py index 062529486..9f2553e2a 100644 --- a/tests/integration/users/test_viewset.py +++ b/tests/integration/users/test_viewset.py @@ -1,4 +1,5 @@ import pytest +from django.contrib.auth.models import Permission from django.core import mail from django.urls import reverse from rest_framework import status @@ -291,6 +292,84 @@ class UserPassword(TestCase): ) ) + def test_set(self): + response = self.admin_client.post( + reverse("user_setpassword"), + { + "old_password": "admin", + "new_password": "new_password_eiki5eiCoozethahhief", + }, + ) + self.assertEqual(response.status_code, status.HTTP_200_OK) + admin = User.objects.get() + self.assertTrue(admin.check_password("new_password_eiki5eiCoozethahhief")) + + def test_set_no_manage_perms(self): + admin = User.objects.get() + admin.groups.add(GROUP_DELEGATE_PK) + admin.groups.remove(GROUP_ADMIN_PK) + inform_changed_data(admin) + response = self.admin_client.post( + reverse("user_setpassword"), + { + "old_password": "admin", + "new_password": "new_password_ou0wei3tae5ahr7oa1Fu", + }, + ) + self.assertEqual(response.status_code, status.HTTP_200_OK) + admin = User.objects.get() + self.assertTrue(admin.check_password("new_password_ou0wei3tae5ahr7oa1Fu")) + + def test_set_no_can_change_password(self): + admin = User.objects.get() + admin.groups.add(GROUP_DELEGATE_PK) + admin.groups.remove(GROUP_ADMIN_PK) + can_change_password_permission = Permission.objects.get( + content_type__app_label="users", codename="can_change_password" + ) + delegate_group = Group.objects.get(pk=GROUP_DELEGATE_PK) + delegate_group.permissions.remove(can_change_password_permission) + inform_changed_data(delegate_group) + inform_changed_data(admin) + + response = self.admin_client.post( + reverse("user_setpassword"), + { + "old_password": "admin", + "new_password": "new_password_Xeereehahzie3Oochere", + }, + ) + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + admin = User.objects.get() + self.assertTrue(admin.check_password("admin")) + + def test_set_wrong_auth_type(self): + admin = User.objects.get() + admin.auth_type = "something_else" + admin.save() + response = self.admin_client.post( + reverse("user_setpassword"), + { + "old_password": "admin", + "new_password": "new_password_dau2ahng3Ahgha7yee8o", + }, + ) + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + admin = User.objects.get() + self.assertTrue(admin.check_password("admin")) + + def test_set_anonymous_user(self): + config["general_system_enable_anonymous"] = True + guest_client = APIClient() + response = guest_client.post( + reverse("user_setpassword"), + { + "old_password": "admin", + "new_password": "new_password_SeeRieThahlaaf6cu8Oz", + }, + ) + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + def test_set_random_initial_password(self): """ Tests whether a random password is set if no default password is given. The password