allura-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jetm...@apache.org
Subject [03/26] allura git commit: [#7786] Invalidate pwd reset tokens after email/password change
Date Fri, 27 Feb 2015 12:50:36 GMT
[#7786] Invalidate pwd reset tokens after email/password change


Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/b9225b8e
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/b9225b8e
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/b9225b8e

Branch: refs/heads/ib/7830
Commit: b9225b8e03c621ba07b63355d07f4b2c9cc71c14
Parents: 2d9bcf0
Author: Heith Seewald <hseewald@slashdotmedia.com>
Authored: Wed Feb 4 08:16:17 2015 +0000
Committer: Dave Brondsema <dbrondsema@slashdotmedia.com>
Committed: Thu Feb 19 16:21:54 2015 +0000

----------------------------------------------------------------------
 Allura/allura/controllers/auth.py           |  10 +-
 Allura/allura/tests/functional/test_auth.py | 117 +++++++++++++++++++++++
 2 files changed, 126 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/allura/blob/b9225b8e/Allura/allura/controllers/auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/controllers/auth.py b/Allura/allura/controllers/auth.py
index 2183032..0bfe966 100644
--- a/Allura/allura/controllers/auth.py
+++ b/Allura/allura/controllers/auth.py
@@ -165,7 +165,7 @@ class AuthController(BaseController):
             raise wexc.HTTPNotFound()
         user = self._validate_hash(hash)
         user.set_password(pw)
-        user.set_tool_data('AuthPasswordReset', hash='', hash_expiry='')
+        user.set_tool_data('AuthPasswordReset', hash='', hash_expiry='')  # Clear password
reset token
         h.auditlog_user('Password changed (through recovery process)', user=user)
         flash('Password changed')
         redirect('/auth/?return_to=/')  # otherwise the default return_to would be the forgotten_password
referrer page
@@ -409,6 +409,8 @@ class AuthController(BaseController):
             expired_user = M.User.query.get(username=expired_username) if expired_username
else None
             ap.set_password(expired_user or c.user, kw['oldpw'], kw['pw'])
             expired_user.set_tool_data('allura', pwd_reset_preserve_session=session.id)
+            expired_user.set_tool_data('AuthPasswordReset', hash='', hash_expiry='')  # Clear
password reset token
+
         except wexc.HTTPUnauthorized:
             flash('Incorrect password', 'error')
             redirect(tg.url('/auth/pwd_expired', dict(return_to=return_to)))
@@ -471,11 +473,13 @@ class PreferencesController(BaseController):
                         # clear it now, a new one will get set below
                         user.set_pref('email_address', None)
                         primary_addr = None
+                        user.set_tool_data('AuthPasswordReset', hash='', hash_expiry='')
                 h.auditlog_user('Email address deleted: %s', user.email_addresses[i], user=user)
                 del user.email_addresses[i]
                 if obj:
                     obj.delete()
         if new_addr.get('claim') or new_addr.get('addr'):
+            user.set_tool_data('AuthPasswordReset', hash='', hash_expiry='')  # Clear password
reset token
             claimed_emails_limit = config.get('user_prefs.maximum_claimed_emails', None)
             if claimed_emails_limit and len(user.email_addresses) >= int(claimed_emails_limit):
                 flash('You cannot claim more than %s email addresses.' % claimed_emails_limit,
'error')
@@ -505,6 +509,7 @@ class PreferencesController(BaseController):
                         em.send_claim_attempt()
 
                     if not admin:
+                        user.set_tool_data('AuthPasswordReset', hash='', hash_expiry='')
                         flash('A verification email has been sent.  Please check your email
and click to confirm.')
 
                     h.auditlog_user('New email address: %s', new_addr['addr'], user=user)
@@ -525,6 +530,7 @@ class PreferencesController(BaseController):
                     primary_addr,
                     user=user)
             user.set_pref('email_address', primary_addr)
+            user.set_tool_data('AuthPasswordReset', hash='', hash_expiry='')
 
     @h.vardec
     @expose()
@@ -561,6 +567,8 @@ class PreferencesController(BaseController):
         try:
             ap.set_password(c.user, kw['oldpw'], kw['pw'])
             c.user.set_tool_data('allura', pwd_reset_preserve_session=session.id)
+            c.user.set_tool_data('AuthPasswordReset', hash='', hash_expiry='')
+
         except wexc.HTTPUnauthorized:
             flash('Incorrect password', 'error')
             redirect('.')

http://git-wip-us.apache.org/repos/asf/allura/blob/b9225b8e/Allura/allura/tests/functional/test_auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/functional/test_auth.py b/Allura/allura/tests/functional/test_auth.py
index eacabd0..f288b0b 100644
--- a/Allura/allura/tests/functional/test_auth.py
+++ b/Allura/allura/tests/functional/test_auth.py
@@ -324,6 +324,90 @@ class TestAuth(TestController):
         email = M.EmailAddress.find(dict(email=email_address, claimed_by_user_id=user._id)).first()
         assert not email.confirmed
 
+    @staticmethod
+    def _create_password_reset_hash():
+        """ Generates a password reset token for a given user.
+
+        :return: User object
+        :rtype: User
+        """
+        # test-user claimed email address
+        user = M.User.by_username('test-admin')
+        user.set_tool_data('AuthPasswordReset',
+                           hash="generated_hash_value",
+                           hash_expiry="04-08-2020")
+        hash = user.get_tool_data('AuthPasswordReset', 'hash')
+        session(user).flush(user)
+
+        hash_expiry = user.get_tool_data('AuthPasswordReset', 'hash_expiry')
+        assert_equal(hash, 'generated_hash_value')
+        assert_equal(hash_expiry, '04-08-2020')
+        return user
+
+    def test_token_generator(self):
+        """ Generates new token invalidation tests.
+
+        The tests cover: changing, claiming, updating, removing email addresses.
+        :returns: email_change_invalidates_token
+        """
+        _params = [{'new_addr.addr': 'test_abcd@domain.net',  # Change primary address
+                    'primary_addr': 'test@example.com', },
+                   {'new_addr.addr': 'test@example.com',  # Claim new address
+                    'new_addr.claim': 'Claim Address',
+                    'primary_addr': 'test-admin@users.localhost',
+                    'password': 'foo',
+                    'preferences.email_format': 'plain'},
+                   {'addr-1.ord': '1',  # remove test-admin@users.localhost
+                    'addr-1.delete': 'on',
+                    'addr-2.ord': '2',
+                    'new_addr.addr': '',
+                    'primary_addr': 'test-admin@users.localhost',
+                    'password': 'foo',
+                    'preferences.email_format': 'plain'},
+                   {'addr-1.ord': '1',  # Remove email
+                    'addr-2.ord': '2',
+                    'addr-2.delete': 'on',
+                    'new_addr.addr': '',
+                    'primary_addr': 'test-admin@users.localhost'}]
+
+        for param in _params:
+            yield self.email_change_invalidates_token, param
+
+    def email_change_invalidates_token(self, change_params):
+        user = self._create_password_reset_hash()
+        session(user).flush(user)
+
+        self.app.post('/auth/preferences/update_emails',
+                      extra_environ=dict(username='test-admin'),
+                      params=change_params)
+
+        u = M.User.by_username('test-admin')
+        print(u.get_tool_data('AuthPasswordReset', 'hash'))
+        assert_equal(u.get_tool_data('AuthPasswordReset', 'hash'), '')
+        assert_equal(u.get_tool_data('AuthPasswordReset', 'hash_expiry'), '')
+
+    @td.with_user_project('test-admin')
+    def test_change_password(self):
+        # Get and assert user with password reset token.
+        user = self._create_password_reset_hash()
+        old_pass = user.get_pref('password')
+
+        # Change password
+        self.app.post('/auth/preferences/change_password',
+                      extra_environ=dict(username='test-admin'),
+                      params={
+                          'oldpw': 'foo',
+                          'pw': 'asdfasdf',
+                          'pw2': 'asdfasdf',
+                      })
+
+        # Confirm password was changed.
+        assert_not_equal(old_pass, user.get_pref('password'))
+
+        # Confirm any existing tokens were reset.
+        assert_equal(user.get_tool_data('AuthPasswordReset', 'hash'), '')
+        assert_equal(user.get_tool_data('AuthPasswordReset', 'hash_expiry'), '')
+
     @td.with_user_project('test-admin')
     def test_prefs(self):
         r = self.app.get('/auth/preferences/',
@@ -1619,6 +1703,39 @@ class TestPasswordExpire(TestController):
             r = self.login(pwd='foo')
             assert_in('Invalid login', r)
 
+    def test_expired_pwd_change_invalidates_token(self):
+        self.set_expire_for_user()
+        with h.push_config(config, **{'auth.pwdexpire.days': 90}):
+            r = self.login()
+            assert_true(self.expired(r))
+            self.assert_redirects()
+            user = M.User.by_username('test-user')
+            user.set_tool_data('AuthPasswordReset',
+                          hash="generated_hash_value",
+                          hash_expiry="04-08-2020")
+            hash = user.get_tool_data('AuthPasswordReset', 'hash')
+            hash_expiry = user.get_tool_data('AuthPasswordReset', 'hash_expiry')
+            assert_equal(hash, 'generated_hash_value')
+            assert_equal(hash_expiry, '04-08-2020')
+            session(user).flush(user)
+
+            # Change expired password
+            r = self.app.get('/auth/pwd_expired', extra_environ={'username': 'test-user'})
+            f = r.forms[0]
+            f['oldpw'] = 'foo'
+            f['pw'] = 'qwerty'
+            f['pw2'] = 'qwerty'
+            r = f.submit(extra_environ={'username': 'test-user'}, status=302)
+            assert_equal(r.location, 'http://localhost/')
+
+            user = M.User.by_username('test-user')
+            hash = user.get_tool_data('AuthPasswordReset', 'hash')
+            hash_expiry = user.get_tool_data('AuthPasswordReset', 'hash_expiry')
+
+            assert_equal(hash, '')
+            assert_equal(hash_expiry, '')
+
+
     def check_validation(self, oldpw, pw, pw2):
         user = M.User.by_username('test-user')
         old_update_time = user.last_password_updated


Mime
View raw message