(allura) branch master updated: in password reset, also try lowercasing the email to see if that matches

[brondsem]

This is an automated email from the ASF dual-hosted git repository.

brondsem pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/allura.git


The following commit(s) were added to refs/heads/master by this push:
     new a50d92165 in password reset, also try lowercasing the email to see if 
that matches
a50d92165 is described below

commit a50d9216587e28416b19cb26624ed6e8164c7c92
Author: Dave Brondsema <dbronds...@slashdotmedia.com>
AuthorDate: Mon Jan 22 12:16:51 2024 -0500

    in password reset, also try lowercasing the email to see if that matches
---
 Allura/allura/controllers/auth.py           |  5 +++++
 Allura/allura/tests/functional/test_auth.py | 19 +++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/Allura/allura/controllers/auth.py 
b/Allura/allura/controllers/auth.py
index 1d11394f5..d74f48445 100644
--- a/Allura/allura/controllers/auth.py
+++ b/Allura/allura/controllers/auth.py
@@ -223,6 +223,11 @@ class AuthController(BaseController):
             redirect('/')
 
         user_record = M.User.by_email_address(email, only_confirmed=False)
+        if not user_record and email != email.lower():
+            # try again lowercase
+            email = email.lower()
+            user_record = M.User.by_email_address(email, only_confirmed=False)
+
         allow_non_primary_email_reset = 
asbool(config.get('auth.allow_non_primary_email_password_reset', True))
 
         if not re.match(r"[^@]+@[^@]+\.[^@]+", email):
diff --git a/Allura/allura/tests/functional/test_auth.py 
b/Allura/allura/tests/functional/test_auth.py
index b75eb91a8..10dbd380d 100644
--- a/Allura/allura/tests/functional/test_auth.py
+++ b/Allura/allura/tests/functional/test_auth.py
@@ -1764,6 +1764,25 @@ To update your password on %s, please visit the 
following URL:
         r = r.follow().follow()
         assert 'Log Out' in r, r
 
+
+    @patch('allura.tasks.mail_tasks.sendsimplemail')
+    @patch('allura.lib.helpers.gen_message_id')
+    def test_capitalized_email_entered(self, gen_message_id, sendmail):
+        self.app.get('/').follow()  # establish session
+        user = M.User.query.get(username='test-admin')
+        email = M.EmailAddress.find({'claimed_by_user_id': user._id}).first()
+        email.confirmed = True
+        ThreadLocalODMSession.flush_all()
+
+        # request a reset
+        with td.audits('Password recovery link sent to: ' + email.email, 
user=True):
+            r = self.app.post('/auth/password_recovery_hash', {'email': 
email.email.capitalize(),  # NOTE THIS
+                                                               '_session_id': 
self.app.cookies['_session_id'],
+                                                               })
+        # confirm it worked
+        hash = user.get_tool_data('AuthPasswordReset', 'hash')
+        assert hash is not None
+
     @patch('allura.tasks.mail_tasks.sendsimplemail')
     @patch('allura.lib.helpers.gen_message_id')
     def test_hash_expired(self, gen_message_id, sendmail):