allura-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From brond...@apache.org
Subject [1/2] allura git commit: [#8125] require user to be logged in to their account to verify a new email address
Date Fri, 09 Sep 2016 18:11:43 GMT
Repository: allura
Updated Branches:
  refs/heads/master 32ebab900 -> abc3b8e76


[#8125] require user to be logged in to their account to verify a new email address


Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/abc3b8e7
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/abc3b8e7
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/abc3b8e7

Branch: refs/heads/master
Commit: abc3b8e76d4abb30f550bce77daf9207e2897f93
Parents: 9abd808
Author: Dave Brondsema <dave@brondsema.net>
Authored: Thu Sep 8 12:26:05 2016 -0400
Committer: Dave Brondsema <dave@brondsema.net>
Committed: Fri Sep 9 14:11:35 2016 -0400

----------------------------------------------------------------------
 Allura/allura/controllers/auth.py           | 19 +++++++++++---
 Allura/allura/tests/functional/test_auth.py | 33 +++++++++++++++++++++++-
 2 files changed, 48 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/allura/blob/abc3b8e7/Allura/allura/controllers/auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/controllers/auth.py b/Allura/allura/controllers/auth.py
index 3c665cf..2009515 100644
--- a/Allura/allura/controllers/auth.py
+++ b/Allura/allura/controllers/auth.py
@@ -261,13 +261,26 @@ class AuthController(BaseController):
             flash('No such address', 'error')
         redirect(request.referer)
 
-    def _verify_addr(self, addr):
+    def _verify_addr(self, addr, do_auth_check=True):
         confirmed_by_other = M.EmailAddress.find(dict(email=addr.email, confirmed=True)).all()
if addr else []
         confirmed_by_other = filter(lambda item: item != addr, confirmed_by_other)
 
         if addr and not confirmed_by_other:
-            addr.confirmed = True
             user = addr.claimed_by_user(include_pending=True)
+            if do_auth_check and not user.pending:
+                # pending is ok, since you can't be logged in to your account yet :)
+                require_authenticated()
+                if c.user != user:
+                    flash('You must be logged in to the correct account', 'warning')
+                    # raising HTTPUnauthorized does this same logic, but doesn't preserve
the flash() message
+                    # so we have to do similar logic as LoginRedirectMiddleware right here
+                    login_url = tg.config.get('auth.login_url', '/auth/')
+                    return_to = request.environ['PATH_INFO']
+                    if request.environ.get('QUERY_STRING'):
+                        return_to += '?' + request.environ['QUERY_STRING']
+                    redirect(login_url, {'return_to': return_to})
+
+            addr.confirmed = True
             flash('Email address confirmed')
             h.auditlog_user('Email address verified: %s',  addr.email, user=user)
             if(user.get_pref('email_address') == None):
@@ -562,7 +575,7 @@ class PreferencesController(BaseController):
                         if not admin:
                             em.send_verification_link()
                         else:
-                            AuthController()._verify_addr(em)
+                            AuthController()._verify_addr(em, do_auth_check=False)
                     else:
                         em.send_claim_attempt()
 

http://git-wip-us.apache.org/repos/asf/allura/blob/abc3b8e7/Allura/allura/tests/functional/test_auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/functional/test_auth.py b/Allura/allura/tests/functional/test_auth.py
index 2b957b9..232ff16 100644
--- a/Allura/allura/tests/functional/test_auth.py
+++ b/Allura/allura/tests/functional/test_auth.py
@@ -67,7 +67,7 @@ class TestAuth(TestController):
         ThreadLocalORMSession.flush_all()
         r = self.app.get('/auth/verify_addr', params=dict(a='foo'))
         assert json.loads(self.webflash(r))['status'] == 'error', self.webflash(r)
-        ea = M.EmailAddress.find().first()
+        ea = M.EmailAddress.find({'email': email}).first()
         r = self.app.get('/auth/verify_addr', params=dict(a=ea.nonce))
         assert json.loads(self.webflash(r))['status'] == 'ok', self.webflash(r)
         r = self.app.get('/auth/logout')
@@ -357,6 +357,37 @@ class TestAuth(TestController):
         email = M.EmailAddress.find(dict(email=email_address, claimed_by_user_id=user._id)).first()
         assert not email.confirmed
 
+    def test_verify_addr_correct_session(self):
+        self.app.get('/')  # establish session
+        email_address = 'test_abcd@domain.net'
+
+        # test-user claimed email address
+        user = M.User.query.get(username='test-user')
+        user.claim_address(email_address)
+        email = M.EmailAddress.find(dict(email=email_address, claimed_by_user_id=user._id)).first()
+        email.confirmed = False
+        ThreadLocalORMSession.flush_all()
+
+        self.app.post('/auth/send_verification_link',
+                      params=dict(a=email_address,
+                                  _session_id=self.app.cookies['_session_id']),
+                      extra_environ=dict(username='test-user'))
+
+        # logged out, gets redirected to login page
+        r = self.app.get('/auth/verify_addr', params=dict(a=email.nonce), extra_environ=dict(username='*anonymous'))
+        assert_in('/auth/?return_to=%2Fauth%2Fverify_addr', r.location)
+
+        # logged in as someone else
+        r = self.app.get('/auth/verify_addr', params=dict(a=email.nonce), extra_environ=dict(username='test-admin'))
+        assert_in('/auth/?return_to=%2Fauth%2Fverify_addr', r.location)
+        assert_equal('You must be logged in to the correct account', json.loads(self.webflash(r))['message'])
+        assert_equal('warning', json.loads(self.webflash(r))['status'])
+
+        # logged in as correct user
+        r = self.app.get('/auth/verify_addr', params=dict(a=email.nonce), extra_environ=dict(username='test-user'))
+        assert_in('confirmed', json.loads(self.webflash(r))['message'])
+        assert_equal('ok', json.loads(self.webflash(r))['status'])
+
     @staticmethod
     def _create_password_reset_hash():
         """ Generates a password reset token for a given user.


Mime
View raw message