Repository: allura Updated Branches: refs/heads/master b87747c84 -> 57d9f1944
Ensure after a pwd reset, you can still log in. Test improvements. In normal allura usage (including from this test), not much triggers a session to be created for anonymous users. The only thing I could find was e.g. /p/test/code/123/tree/branches/foo.txt?diff=531621c0b9363c46a3906b8a:122&diformat=sidebyside which saves 'diformat' in the session. Custom code could do so also. *If* that happens, then we need to ensure that the current session is preserved through the password reset, so that logging in still works. The test is not very strong (passes even without the change) since it doesn't do anything to cause a session gets created. It seemed out of place to create code repo and fetch a diff url, within this test. Project: http://git-wip-us.apache.org/repos/asf/allura/repo Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/a5fd39a7 Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/a5fd39a7 Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/a5fd39a7 Branch: refs/heads/master Commit: a5fd39a7d223968c49ca1a78f5c4fc69a5b98d12 Parents: d9a4fc1 Author: Dave Brondsema <d...@brondsema.net> Authored: Thu Feb 8 11:37:13 2018 -0500 Committer: Dave Brondsema <d...@brondsema.net> Committed: Thu Feb 8 11:37:13 2018 -0500 ---------------------------------------------------------------------- Allura/allura/controllers/auth.py | 1 + Allura/allura/tests/functional/test_auth.py | 57 +++++++++++++++++------- 2 files changed, 41 insertions(+), 17 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/allura/blob/a5fd39a7/Allura/allura/controllers/auth.py ---------------------------------------------------------------------- diff --git a/Allura/allura/controllers/auth.py b/Allura/allura/controllers/auth.py index 0299abd..12523cc 100644 --- a/Allura/allura/controllers/auth.py +++ b/Allura/allura/controllers/auth.py @@ -174,6 +174,7 @@ class AuthController(BaseController): user = self._validate_hash(hash) user.set_password(pw) user.set_tool_data('AuthPasswordReset', hash='', hash_expiry='') # Clear password reset token + user.set_tool_data('allura', pwd_reset_preserve_session=session.id) h.auditlog_user('Password changed (through recovery process)', user=user) flash('Password changed') redirect('/auth/?return_to=/') # otherwise the default return_to would be the forgotten_password referrer page http://git-wip-us.apache.org/repos/asf/allura/blob/a5fd39a7/Allura/allura/tests/functional/test_auth.py ---------------------------------------------------------------------- diff --git a/Allura/allura/tests/functional/test_auth.py b/Allura/allura/tests/functional/test_auth.py index 54e2dff..59c9428 100644 --- a/Allura/allura/tests/functional/test_auth.py +++ b/Allura/allura/tests/functional/test_auth.py @@ -1337,6 +1337,11 @@ class TestPreferences(TestController): class TestPasswordReset(TestController): test_primary_email = 'testprimarya...@mail.com' + def setUp(self): + super(TestPasswordReset, self).setUp() + # so test-admin isn't automatically logged in for all requests + self.app.extra_environ = {'disable_auth_magic': 'True'} + @patch('allura.tasks.mail_tasks.sendmail') @patch('allura.lib.helpers.gen_message_id') def test_email_unconfirmed(self, gen_message_id, sendmail): @@ -1413,20 +1418,38 @@ class TestPasswordReset(TestController): def test_password_reset(self, gen_message_id, sendmail): self.app.get('/') # establish session user = M.User.query.get(username='test-admin') - email = M.EmailAddress.find( - {'claimed_by_user_id': user._id}).first() + email = M.EmailAddress.find({'claimed_by_user_id': user._id}).first() email.confirmed = True ThreadLocalORMSession.flush_all() old_pw_hash = user.password - with td.audits('Password recovery link sent to: '+ email.email, user=True): + + # request a reset + with td.audits('Password recovery link sent to: ' + email.email, user=True): r = self.app.post('/auth/password_recovery_hash', {'email': email.email, '_session_id': self.app.cookies['_session_id'], }) + # confirm some fields hash = user.get_tool_data('AuthPasswordReset', 'hash') hash_expiry = user.get_tool_data('AuthPasswordReset', 'hash_expiry') assert hash is not None assert hash_expiry is not None + # confirm email sent + text = '''Your username is test-admin + +To reset your password on %s, please visit the following URL: + +%s/auth/forgotten_password/%s''' % (config['site_name'], config['base_url'], hash) + sendmail.post.assert_called_once_with( + sender='noreply@localhost', + toaddr=email.email, + fromaddr=u'"{}" <{}>'.format(config['site_name'], config['forgemail.return_path']), + reply_to=config['forgemail.return_path'], + subject='Allura Password recovery', + message_id=gen_message_id(), + text=text) + + # load reset form and fill it out r = self.app.get('/auth/forgotten_password/%s' % hash) assert_in('Enter a new password for: test-admin', r) assert_in('New Password:', r) @@ -1436,31 +1459,31 @@ class TestPasswordReset(TestController): with td.audits('Password changed \(through recovery process\)', user=True): # escape parentheses, so they would not be treated as regex group r = form.submit() + + # confirm password changed and works user = M.User.query.get(username='test-admin') assert_not_equal(old_pw_hash, user.password) provider = plugin.LocalAuthenticationProvider(None) assert_true(provider._validate_password(user, new_password)) - text = '''Your username is test-admin - -To reset your password on %s, please visit the following URL: - -%s/auth/forgotten_password/%s''' % (config['site_name'], config['base_url'], hash) - - sendmail.post.assert_called_once_with( - sender='noreply@localhost', - toaddr=email.email, - fromaddr=u'"{}" <{}>'.format(config['site_name'], config['forgemail.return_path']), - reply_to=config['forgemail.return_path'], - subject='Allura Password recovery', - message_id=gen_message_id(), - text=text) + # confirm reset fields cleared user = M.User.query.get(username='test-admin') hash = user.get_tool_data('AuthPasswordReset', 'hash') hash_expiry = user.get_tool_data('AuthPasswordReset', 'hash_expiry') assert_equal(hash, '') assert_equal(hash_expiry, '') + # confirm can log in now in same session + r = r.follow() + assert 'Log Out' not in r, r + form = r.forms[0] + encoded = self.app.antispam_field_names(r.form) + form[encoded['username']] = 'test-admin' + form[encoded['password']] = new_password + r = form.submit(status=302) + r = r.follow() + assert 'Log Out' in r, r + @patch('allura.tasks.mail_tasks.sendsimplemail') @patch('allura.lib.helpers.gen_message_id') def test_hash_expired(self, gen_message_id, sendmail):