Return-Path: X-Original-To: apmail-allura-commits-archive@www.apache.org Delivered-To: apmail-allura-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 312CE1127E for ; Fri, 12 Sep 2014 10:29:17 +0000 (UTC) Received: (qmail 15746 invoked by uid 500); 12 Sep 2014 10:29:16 -0000 Delivered-To: apmail-allura-commits-archive@allura.apache.org Received: (qmail 15694 invoked by uid 500); 12 Sep 2014 10:29:16 -0000 Mailing-List: contact commits-help@allura.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@allura.apache.org Delivered-To: mailing list commits@allura.apache.org Received: (qmail 15505 invoked by uid 99); 12 Sep 2014 10:29:16 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 12 Sep 2014 10:29:16 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id D18AEA111BB; Fri, 12 Sep 2014 10:29:15 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: jetmind@apache.org To: commits@allura.apache.org Date: Fri, 12 Sep 2014 10:29:15 -0000 Message-Id: <6bf2165c3d7f460ab873ffd87e189508@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [01/28] git commit: [#7585] ticket:624 Require password entry for changes to email settings Repository: allura Updated Branches: refs/heads/je/42cc_4905 8773ed46f -> 2602ee1e7 (forced update) [#7585] ticket:624 Require password entry for changes to email settings Project: http://git-wip-us.apache.org/repos/asf/allura/repo Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/774191ee Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/774191ee Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/774191ee Branch: refs/heads/je/42cc_4905 Commit: 774191ee37e17b9be776b8ec4f02951e94aa7aea Parents: 608090e Author: Igor Bondarenko Authored: Thu Jul 31 17:09:23 2014 +0300 Committer: Dave Brondsema Committed: Tue Aug 26 19:24:57 2014 +0000 ---------------------------------------------------------------------- Allura/allura/controllers/auth.py | 10 ++++ Allura/allura/templates/user_prefs.html | 4 ++ Allura/allura/tests/functional/test_auth.py | 71 ++++++++++++++++++++++++ 3 files changed, 85 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/allura/blob/774191ee/Allura/allura/controllers/auth.py ---------------------------------------------------------------------- diff --git a/Allura/allura/controllers/auth.py b/Allura/allura/controllers/auth.py index 801bdf2..f05a0cc 100644 --- a/Allura/allura/controllers/auth.py +++ b/Allura/allura/controllers/auth.py @@ -413,6 +413,7 @@ class PreferencesController(BaseController): if not preferences.get('display_name'): flash("Display Name cannot be empty.", 'error') redirect('.') + provider = plugin.AuthenticationProvider.get(request) old = c.user.get_pref('display_name') c.user.set_pref('display_name', preferences['display_name']) if old != preferences['display_name']: @@ -420,6 +421,9 @@ class PreferencesController(BaseController): for i, (old_a, data) in enumerate(zip(c.user.email_addresses, addr or [])): obj = c.user.address_object(old_a) if data.get('delete') or not obj: + if not kw.get('password') or not provider.validate_password(c.user, kw.get('password')): + flash('You must provide your current password to delete an email', 'error') + redirect('.') if primary_addr == c.user.email_addresses[i]: if select_new_primary_addr(c.user, ignore_emails=primary_addr) is None \ and asbool(config.get('auth.require_email_addr', False)): @@ -434,6 +438,9 @@ class PreferencesController(BaseController): if obj: obj.delete() if new_addr.get('claim') or new_addr.get('addr'): + if not kw.get('password') or not provider.validate_password(c.user, kw.get('password')): + flash('You must provide your current password to claim new email', 'error') + redirect('.') if M.EmailAddress.query.get(_id=new_addr['addr']): flash('Email address already claimed', 'error') elif mail_util.isvalid(new_addr['addr']): @@ -449,6 +456,9 @@ class PreferencesController(BaseController): primary_addr = select_new_primary_addr(c.user) if primary_addr: if c.user.get_pref('email_address') != primary_addr: + if not kw.get('password') or not provider.validate_password(c.user, kw.get('password')): + flash('You must provide your current password to change primary address', 'error') + redirect('.') M.AuditLog.log_user( 'Primary email changed: %s => %s', c.user.get_pref('email_address'), http://git-wip-us.apache.org/repos/asf/allura/blob/774191ee/Allura/allura/templates/user_prefs.html ---------------------------------------------------------------------- diff --git a/Allura/allura/templates/user_prefs.html b/Allura/allura/templates/user_prefs.html index d921889..f76e9d6 100644 --- a/Allura/allura/templates/user_prefs.html +++ b/Allura/allura/templates/user_prefs.html @@ -108,6 +108,10 @@

+ + +
+
{{lib.submit_button('Save')}}
{{lib.csrf_token()}} http://git-wip-us.apache.org/repos/asf/allura/blob/774191ee/Allura/allura/tests/functional/test_auth.py ---------------------------------------------------------------------- diff --git a/Allura/allura/tests/functional/test_auth.py b/Allura/allura/tests/functional/test_auth.py index 58d824a..8af23ca 100644 --- a/Allura/allura/tests/functional/test_auth.py +++ b/Allura/allura/tests/functional/test_auth.py @@ -132,6 +132,7 @@ class TestAuth(TestController): 'new_addr.addr': 'test@example.com', 'new_addr.claim': 'Claim Address', 'primary_addr': 'test-admin@users.localhost', + 'password': 'foo', 'preferences.email_format': 'plain'}, extra_environ=dict(username='test-admin')) r = self.app.get('/auth/preferences/') @@ -148,6 +149,7 @@ class TestAuth(TestController): 'addr-2.ord': '2', 'new_addr.addr': '', 'primary_addr': 'test-admin@users.localhost', + 'password': 'foo', 'preferences.email_format': 'plain'}, extra_environ=dict(username='test-admin')) r = self.app.get('/auth/preferences/') @@ -163,6 +165,75 @@ class TestAuth(TestController): extra_environ=dict(username='test-admin')) @td.with_user_project('test-admin') + def test_email_prefs_change_requires_password(self): + # Claim new email + new_email_params = { + 'preferences.display_name': 'Test Admin', + 'new_addr.addr': 'test@example.com', + 'new_addr.claim': 'Claim Address', + 'primary_addr': 'test-admin@users.localhost', + } + r = self.app.post('/auth/preferences/update', params=new_email_params, + extra_environ=dict(username='test-admin')) + assert_in('You must provide your current password to claim new email', self.webflash(r)) + assert_not_in('test@example.com', r.follow()) + new_email_params['password'] = 'bad pass' + r = self.app.post('/auth/preferences/update', params=new_email_params, + extra_environ=dict(username='test-admin')) + assert_in('You must provide your current password to claim new email', self.webflash(r)) + assert_not_in('test@example.com', r.follow()) + new_email_params['password'] = 'foo' # valid password + r = self.app.post('/auth/preferences/update', params=new_email_params, + extra_environ=dict(username='test-admin')) + assert_not_in('You must provide your current password to claim new email', self.webflash(r)) + assert_in('test@example.com', r.follow()) + + # Change primary address + change_primary_params = { + 'preferences.display_name': 'Test Admin', + 'new_addr.addr': '', + 'primary_addr': 'test@example.com', + } + r = self.app.post('/auth/preferences/update', params=change_primary_params, + extra_environ=dict(username='test-admin')) + assert_in('You must provide your current password to change primary address', self.webflash(r)) + assert_equal(M.User.by_username('test-admin').get_pref('email_address'), 'test-admin@users.localhost') + change_primary_params['password'] = 'bad pass' + r = self.app.post('/auth/preferences/update', params=change_primary_params, + extra_environ=dict(username='test-admin')) + assert_in('You must provide your current password to change primary address', self.webflash(r)) + assert_equal(M.User.by_username('test-admin').get_pref('email_address'), 'test-admin@users.localhost') + change_primary_params['password'] = 'foo' # valid password + r = self.app.post('/auth/preferences/update', params=change_primary_params, + extra_environ=dict(username='test-admin')) + assert_not_in('You must provide your current password to change primary address', self.webflash(r)) + assert_equal(M.User.by_username('test-admin').get_pref('email_address'), 'test@example.com') + + # Remove email + remove_email_params = { + 'preferences.display_name': 'Test Admin', + 'addr-1.ord': '1', + 'addr-2.ord': '2', + 'addr-2.delete': 'on', + 'new_addr.addr': '', + 'primary_addr': 'test-admin@users.localhost', + } + r = self.app.post('/auth/preferences/update', params=remove_email_params, + extra_environ=dict(username='test-admin')) + assert_in('You must provide your current password to delete an email', self.webflash(r)) + assert_in('test@example.com', r.follow()) + remove_email_params['password'] = 'bad pass' + r = self.app.post('/auth/preferences/update', params=remove_email_params, + extra_environ=dict(username='test-admin')) + assert_in('You must provide your current password to delete an email', self.webflash(r)) + assert_in('test@example.com', r.follow()) + remove_email_params['password'] = 'foo' # vallid password + r = self.app.post('/auth/preferences/update', params=remove_email_params, + extra_environ=dict(username='test-admin')) + assert_not_in('You must provide your current password to delete an email', self.webflash(r)) + assert_not_in('test@example.com', r.follow()) + + @td.with_user_project('test-admin') def test_prefs_subscriptions(self): r = self.app.get('/auth/subscriptions/', extra_environ=dict(username='test-admin'))