Merge pull request #5128 from FinnStutzenstein/setPasswordAuthenticationCheck
Fixed wrong permission/auth check for set password
This commit is contained in:
commit
5b0b320bfa
@ -843,9 +843,9 @@ class SetPasswordView(APIView):
|
||||
|
||||
def post(self, request, *args, **kwargs):
|
||||
user = request.user
|
||||
if not (
|
||||
has_perm(user, "users.can_change_password")
|
||||
or has_perm(user, "users.can_manage")
|
||||
if (
|
||||
not user.is_authenticated
|
||||
or not has_perm(user, "users.can_change_password")
|
||||
or user.auth_type != "default"
|
||||
):
|
||||
self.permission_denied(request)
|
||||
|
@ -1,4 +1,5 @@
|
||||
import pytest
|
||||
from django.contrib.auth.models import Permission
|
||||
from django.core import mail
|
||||
from django.urls import reverse
|
||||
from rest_framework import status
|
||||
@ -291,6 +292,84 @@ class UserPassword(TestCase):
|
||||
)
|
||||
)
|
||||
|
||||
def test_set(self):
|
||||
response = self.admin_client.post(
|
||||
reverse("user_setpassword"),
|
||||
{
|
||||
"old_password": "admin",
|
||||
"new_password": "new_password_eiki5eiCoozethahhief",
|
||||
},
|
||||
)
|
||||
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
||||
admin = User.objects.get()
|
||||
self.assertTrue(admin.check_password("new_password_eiki5eiCoozethahhief"))
|
||||
|
||||
def test_set_no_manage_perms(self):
|
||||
admin = User.objects.get()
|
||||
admin.groups.add(GROUP_DELEGATE_PK)
|
||||
admin.groups.remove(GROUP_ADMIN_PK)
|
||||
inform_changed_data(admin)
|
||||
response = self.admin_client.post(
|
||||
reverse("user_setpassword"),
|
||||
{
|
||||
"old_password": "admin",
|
||||
"new_password": "new_password_ou0wei3tae5ahr7oa1Fu",
|
||||
},
|
||||
)
|
||||
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
||||
admin = User.objects.get()
|
||||
self.assertTrue(admin.check_password("new_password_ou0wei3tae5ahr7oa1Fu"))
|
||||
|
||||
def test_set_no_can_change_password(self):
|
||||
admin = User.objects.get()
|
||||
admin.groups.add(GROUP_DELEGATE_PK)
|
||||
admin.groups.remove(GROUP_ADMIN_PK)
|
||||
can_change_password_permission = Permission.objects.get(
|
||||
content_type__app_label="users", codename="can_change_password"
|
||||
)
|
||||
delegate_group = Group.objects.get(pk=GROUP_DELEGATE_PK)
|
||||
delegate_group.permissions.remove(can_change_password_permission)
|
||||
inform_changed_data(delegate_group)
|
||||
inform_changed_data(admin)
|
||||
|
||||
response = self.admin_client.post(
|
||||
reverse("user_setpassword"),
|
||||
{
|
||||
"old_password": "admin",
|
||||
"new_password": "new_password_Xeereehahzie3Oochere",
|
||||
},
|
||||
)
|
||||
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
||||
admin = User.objects.get()
|
||||
self.assertTrue(admin.check_password("admin"))
|
||||
|
||||
def test_set_wrong_auth_type(self):
|
||||
admin = User.objects.get()
|
||||
admin.auth_type = "something_else"
|
||||
admin.save()
|
||||
response = self.admin_client.post(
|
||||
reverse("user_setpassword"),
|
||||
{
|
||||
"old_password": "admin",
|
||||
"new_password": "new_password_dau2ahng3Ahgha7yee8o",
|
||||
},
|
||||
)
|
||||
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
||||
admin = User.objects.get()
|
||||
self.assertTrue(admin.check_password("admin"))
|
||||
|
||||
def test_set_anonymous_user(self):
|
||||
config["general_system_enable_anonymous"] = True
|
||||
guest_client = APIClient()
|
||||
response = guest_client.post(
|
||||
reverse("user_setpassword"),
|
||||
{
|
||||
"old_password": "admin",
|
||||
"new_password": "new_password_SeeRieThahlaaf6cu8Oz",
|
||||
},
|
||||
)
|
||||
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
||||
|
||||
def test_set_random_initial_password(self):
|
||||
"""
|
||||
Tests whether a random password is set if no default password is given. The password
|
||||
|
Loading…
Reference in New Issue
Block a user