allura-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kentontay...@apache.org
Subject [1/2] allura git commit: Ensure after a pwd reset, you can still log in. Test improvements.
Date Fri, 09 Feb 2018 17:52:54 GMT
Repository: allura
Updated Branches:
  refs/heads/master b87747c84 -> 57d9f1944


Ensure after a pwd reset, you can still log in.  Test improvements.

In normal allura usage (including from this test), not much triggers
a session to be created for anonymous users.  The only thing I could
find was e.g. /p/test/code/123/tree/branches/foo.txt?diff=531621c0b9363c46a3906b8a:122&diformat=sidebyside
which saves 'diformat' in the session.  Custom code could do so also.

*If* that happens, then we need to ensure that the current session
is preserved through the password reset, so that logging in still
works.

The test is not very strong (passes even without the change) since
it doesn't do anything to cause a session gets created.  It seemed
out of place to create code repo and fetch a diff url, within this
test.


Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/a5fd39a7
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/a5fd39a7
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/a5fd39a7

Branch: refs/heads/master
Commit: a5fd39a7d223968c49ca1a78f5c4fc69a5b98d12
Parents: d9a4fc1
Author: Dave Brondsema <dave@brondsema.net>
Authored: Thu Feb 8 11:37:13 2018 -0500
Committer: Dave Brondsema <dave@brondsema.net>
Committed: Thu Feb 8 11:37:13 2018 -0500

----------------------------------------------------------------------
 Allura/allura/controllers/auth.py           |  1 +
 Allura/allura/tests/functional/test_auth.py | 57 +++++++++++++++++-------
 2 files changed, 41 insertions(+), 17 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/allura/blob/a5fd39a7/Allura/allura/controllers/auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/controllers/auth.py b/Allura/allura/controllers/auth.py
index 0299abd..12523cc 100644
--- a/Allura/allura/controllers/auth.py
+++ b/Allura/allura/controllers/auth.py
@@ -174,6 +174,7 @@ class AuthController(BaseController):
         user = self._validate_hash(hash)
         user.set_password(pw)
         user.set_tool_data('AuthPasswordReset', hash='', hash_expiry='')  # Clear password
reset token
+        user.set_tool_data('allura', pwd_reset_preserve_session=session.id)
         h.auditlog_user('Password changed (through recovery process)', user=user)
         flash('Password changed')
         redirect('/auth/?return_to=/')  # otherwise the default return_to would be the forgotten_password
referrer page

http://git-wip-us.apache.org/repos/asf/allura/blob/a5fd39a7/Allura/allura/tests/functional/test_auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/functional/test_auth.py b/Allura/allura/tests/functional/test_auth.py
index 54e2dff..59c9428 100644
--- a/Allura/allura/tests/functional/test_auth.py
+++ b/Allura/allura/tests/functional/test_auth.py
@@ -1337,6 +1337,11 @@ class TestPreferences(TestController):
 class TestPasswordReset(TestController):
     test_primary_email = 'testprimaryaddr@mail.com'
 
+    def setUp(self):
+        super(TestPasswordReset, self).setUp()
+        # so test-admin isn't automatically logged in for all requests
+        self.app.extra_environ = {'disable_auth_magic': 'True'}
+
     @patch('allura.tasks.mail_tasks.sendmail')
     @patch('allura.lib.helpers.gen_message_id')
     def test_email_unconfirmed(self, gen_message_id, sendmail):
@@ -1413,20 +1418,38 @@ class TestPasswordReset(TestController):
     def test_password_reset(self, gen_message_id, sendmail):
         self.app.get('/')  # establish session
         user = M.User.query.get(username='test-admin')
-        email = M.EmailAddress.find(
-            {'claimed_by_user_id': user._id}).first()
+        email = M.EmailAddress.find({'claimed_by_user_id': user._id}).first()
         email.confirmed = True
         ThreadLocalORMSession.flush_all()
         old_pw_hash = user.password
-        with td.audits('Password recovery link sent to: '+ email.email, user=True):
+
+        # request a reset
+        with td.audits('Password recovery link sent to: ' + email.email, user=True):
             r = self.app.post('/auth/password_recovery_hash', {'email': email.email,
                                                                '_session_id': self.app.cookies['_session_id'],
                                                                })
+        # confirm some fields
         hash = user.get_tool_data('AuthPasswordReset', 'hash')
         hash_expiry = user.get_tool_data('AuthPasswordReset', 'hash_expiry')
         assert hash is not None
         assert hash_expiry is not None
 
+        # confirm email sent
+        text = '''Your username is test-admin
+
+To reset your password on %s, please visit the following URL:
+
+%s/auth/forgotten_password/%s''' % (config['site_name'], config['base_url'], hash)
+        sendmail.post.assert_called_once_with(
+            sender='noreply@localhost',
+            toaddr=email.email,
+            fromaddr=u'"{}" <{}>'.format(config['site_name'], config['forgemail.return_path']),
+            reply_to=config['forgemail.return_path'],
+            subject='Allura Password recovery',
+            message_id=gen_message_id(),
+            text=text)
+
+        # load reset form and fill it out
         r = self.app.get('/auth/forgotten_password/%s' % hash)
         assert_in('Enter a new password for: test-admin', r)
         assert_in('New Password:', r)
@@ -1436,31 +1459,31 @@ class TestPasswordReset(TestController):
         with td.audits('Password changed \(through recovery process\)', user=True):
             # escape parentheses, so they would not be treated as regex group
             r = form.submit()
+
+        # confirm password changed and works
         user = M.User.query.get(username='test-admin')
         assert_not_equal(old_pw_hash, user.password)
         provider = plugin.LocalAuthenticationProvider(None)
         assert_true(provider._validate_password(user, new_password))
 
-        text = '''Your username is test-admin
-
-To reset your password on %s, please visit the following URL:
-
-%s/auth/forgotten_password/%s''' % (config['site_name'], config['base_url'], hash)
-
-        sendmail.post.assert_called_once_with(
-            sender='noreply@localhost',
-            toaddr=email.email,
-            fromaddr=u'"{}" <{}>'.format(config['site_name'], config['forgemail.return_path']),
-            reply_to=config['forgemail.return_path'],
-            subject='Allura Password recovery',
-            message_id=gen_message_id(),
-            text=text)
+        # confirm reset fields cleared
         user = M.User.query.get(username='test-admin')
         hash = user.get_tool_data('AuthPasswordReset', 'hash')
         hash_expiry = user.get_tool_data('AuthPasswordReset', 'hash_expiry')
         assert_equal(hash, '')
         assert_equal(hash_expiry, '')
 
+        # confirm can log in now in same session
+        r = r.follow()
+        assert 'Log Out' not in r, r
+        form = r.forms[0]
+        encoded = self.app.antispam_field_names(r.form)
+        form[encoded['username']] = 'test-admin'
+        form[encoded['password']] = new_password
+        r = form.submit(status=302)
+        r = r.follow()
+        assert 'Log Out' in r, r
+
     @patch('allura.tasks.mail_tasks.sendsimplemail')
     @patch('allura.lib.helpers.gen_message_id')
     def test_hash_expired(self, gen_message_id, sendmail):


Mime
View raw message