allura-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From john...@apache.org
Subject git commit: [#6783] Return 404 for forgot password pages if disabled
Date Thu, 07 Nov 2013 22:00:07 GMT
Updated Branches:
  refs/heads/master 7c7b19773 -> 4122b0f41


[#6783] Return 404 for forgot password pages if disabled

Signed-off-by: Cory Johns <cjohns@slashdotmedia.com>


Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/4122b0f4
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/4122b0f4
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/4122b0f4

Branch: refs/heads/master
Commit: 4122b0f419312cbcf67214689888d7ef152a7244
Parents: 7c7b197
Author: Cory Johns <cjohns@slashdotmedia.com>
Authored: Thu Nov 7 21:59:33 2013 +0000
Committer: Cory Johns <cjohns@slashdotmedia.com>
Committed: Thu Nov 7 21:59:33 2013 +0000

----------------------------------------------------------------------
 Allura/allura/controllers/auth.py           |  8 ++++++++
 Allura/allura/tests/functional/test_auth.py | 10 ++++++++++
 2 files changed, 18 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/4122b0f4/Allura/allura/controllers/auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/controllers/auth.py b/Allura/allura/controllers/auth.py
index 35bcf81..d945394 100644
--- a/Allura/allura/controllers/auth.py
+++ b/Allura/allura/controllers/auth.py
@@ -173,6 +173,8 @@ class AuthController(BaseController):
     @expose('jinja:allura:templates/forgotten_password.html')
     def forgotten_password(self, hash=None, **kw):
         provider = plugin.AuthenticationProvider.get(request)
+        if not provider.forgotten_password_process:
+            raise wexc.HTTPNotFound()
         if not hash:
             c.forgotten_password_form = F.forgotten_password_form
         else:
@@ -184,6 +186,9 @@ class AuthController(BaseController):
     @require_post()
     @validate(F.recover_password_change_form, error_handler=forgotten_password)
     def set_new_password(self, hash=None, pw=None, pw2=None):
+        provider = plugin.AuthenticationProvider.get(request)
+        if not provider.forgotten_password_process:
+            raise wexc.HTTPNotFound()
         user = self._validate_hash(hash)
         user.set_password(pw)
         user.set_tool_data('AuthPasswordReset', hash='', hash_expiry='')
@@ -194,6 +199,9 @@ class AuthController(BaseController):
     @require_post()
     @validate(F.forgotten_password_form, error_handler=forgotten_password)
     def password_recovery_hash(self, email=None, **kw):
+        provider = plugin.AuthenticationProvider.get(request)
+        if not provider.forgotten_password_process:
+            raise wexc.HTTPNotFound()
         if not email:
             redirect('/')
         user_record = M.User.by_email_address(email)

http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/4122b0f4/Allura/allura/tests/functional/test_auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/functional/test_auth.py b/Allura/allura/tests/functional/test_auth.py
index 7919206..4bb106d 100644
--- a/Allura/allura/tests/functional/test_auth.py
+++ b/Allura/allura/tests/functional/test_auth.py
@@ -797,6 +797,16 @@ To reset your password on %s, please visit the following URL:
         r = self.app.post('/auth/set_new_password/%s' % hash.encode('utf-8'), {'pw': '154321',
'pw2': '154321'})
         assert_in('Unable to process reset, please try again', r.follow().body)
 
+    @patch('allura.lib.plugin.AuthenticationProvider')
+    def test_provider_disabled(self, AP):
+        user = M.User.query.get(username='test-admin')
+        ap = AP.get()
+        ap.forgotten_password_process = False
+        ap.authenticate_request()._id = user._id
+        self.app.get('/auth/forgotten_password', status=404)
+        self.app.post('/auth/set_new_password', {'pw': 'foo', 'pw2': 'foo'}, status=404)
+        self.app.post('/auth/password_recovery_hash', {'email': 'foo'}, status=404)
+
 
 class TestOAuth(TestController):
 


Mime
View raw message