Merge pull request #5128 from FinnStutzenstein/setPasswordAuthenticationCheck

Fixed wrong permission/auth check for set password
This commit is contained in:
Finn Stutzenstein 2019-11-13 14:01:48 +01:00 committed by GitHub
commit 5b0b320bfa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 82 additions and 3 deletions

View File

@ -843,9 +843,9 @@ class SetPasswordView(APIView):
def post(self, request, *args, **kwargs): def post(self, request, *args, **kwargs):
user = request.user user = request.user
if not ( if (
has_perm(user, "users.can_change_password") not user.is_authenticated
or has_perm(user, "users.can_manage") or not has_perm(user, "users.can_change_password")
or user.auth_type != "default" or user.auth_type != "default"
): ):
self.permission_denied(request) self.permission_denied(request)

View File

@ -1,4 +1,5 @@
import pytest import pytest
from django.contrib.auth.models import Permission
from django.core import mail from django.core import mail
from django.urls import reverse from django.urls import reverse
from rest_framework import status from rest_framework import status
@ -291,6 +292,84 @@ class UserPassword(TestCase):
) )
) )
def test_set(self):
response = self.admin_client.post(
reverse("user_setpassword"),
{
"old_password": "admin",
"new_password": "new_password_eiki5eiCoozethahhief",
},
)
self.assertEqual(response.status_code, status.HTTP_200_OK)
admin = User.objects.get()
self.assertTrue(admin.check_password("new_password_eiki5eiCoozethahhief"))
def test_set_no_manage_perms(self):
admin = User.objects.get()
admin.groups.add(GROUP_DELEGATE_PK)
admin.groups.remove(GROUP_ADMIN_PK)
inform_changed_data(admin)
response = self.admin_client.post(
reverse("user_setpassword"),
{
"old_password": "admin",
"new_password": "new_password_ou0wei3tae5ahr7oa1Fu",
},
)
self.assertEqual(response.status_code, status.HTTP_200_OK)
admin = User.objects.get()
self.assertTrue(admin.check_password("new_password_ou0wei3tae5ahr7oa1Fu"))
def test_set_no_can_change_password(self):
admin = User.objects.get()
admin.groups.add(GROUP_DELEGATE_PK)
admin.groups.remove(GROUP_ADMIN_PK)
can_change_password_permission = Permission.objects.get(
content_type__app_label="users", codename="can_change_password"
)
delegate_group = Group.objects.get(pk=GROUP_DELEGATE_PK)
delegate_group.permissions.remove(can_change_password_permission)
inform_changed_data(delegate_group)
inform_changed_data(admin)
response = self.admin_client.post(
reverse("user_setpassword"),
{
"old_password": "admin",
"new_password": "new_password_Xeereehahzie3Oochere",
},
)
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
admin = User.objects.get()
self.assertTrue(admin.check_password("admin"))
def test_set_wrong_auth_type(self):
admin = User.objects.get()
admin.auth_type = "something_else"
admin.save()
response = self.admin_client.post(
reverse("user_setpassword"),
{
"old_password": "admin",
"new_password": "new_password_dau2ahng3Ahgha7yee8o",
},
)
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
admin = User.objects.get()
self.assertTrue(admin.check_password("admin"))
def test_set_anonymous_user(self):
config["general_system_enable_anonymous"] = True
guest_client = APIClient()
response = guest_client.post(
reverse("user_setpassword"),
{
"old_password": "admin",
"new_password": "new_password_SeeRieThahlaaf6cu8Oz",
},
)
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
def test_set_random_initial_password(self): def test_set_random_initial_password(self):
""" """
Tests whether a random password is set if no default password is given. The password Tests whether a random password is set if no default password is given. The password