You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by br...@apache.org on 2014/06/20 17:52:19 UTC

[02/15] git commit: [#7432] ticket:598 Fix set_password for local auth provider

[#7432] ticket:598 Fix set_password for local auth provider

Handle the case when old password is provided properly


Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/7e5737a2
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/7e5737a2
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/7e5737a2

Branch: refs/heads/master
Commit: 7e5737a28712936048c4637ca40dad1fafabc2ea
Parents: 0ffaee3
Author: Igor Bondarenko <je...@gmail.com>
Authored: Wed Jun 4 18:07:45 2014 +0300
Committer: Dave Brondsema <db...@slashdotmedia.com>
Committed: Fri Jun 20 15:39:17 2014 +0000

----------------------------------------------------------------------
 Allura/allura/lib/plugin.py            |  8 ++++++--
 Allura/allura/model/auth.py            |  2 +-
 Allura/allura/tests/model/test_auth.py | 19 +++++++++++++++++--
 3 files changed, 24 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/allura/blob/7e5737a2/Allura/allura/lib/plugin.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/plugin.py b/Allura/allura/lib/plugin.py
index df1116c..340c27e 100644
--- a/Allura/allura/lib/plugin.py
+++ b/Allura/allura/lib/plugin.py
@@ -300,8 +300,12 @@ class LocalAuthenticationProvider(AuthenticationProvider):
         return M.User.query.get(username=rex, disabled=False)
 
     def set_password(self, user, old_password, new_password):
-        user.password = self._encode_password(new_password)
-        user.last_password_updated = datetime.utcnow()
+        if old_password is not None and not self.validate_password(user, old_password):
+            raise exc.HTTPUnauthorized()
+        else:
+            user.password = self._encode_password(new_password)
+            user.last_password_updated = datetime.utcnow()
+            session(user).flush(user)
 
     def _encode_password(self, password, salt=None):
         from allura import model as M

http://git-wip-us.apache.org/repos/asf/allura/blob/7e5737a2/Allura/allura/model/auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/model/auth.py b/Allura/allura/model/auth.py
index c7b1004..932dd17 100644
--- a/Allura/allura/model/auth.py
+++ b/Allura/allura/model/auth.py
@@ -652,7 +652,7 @@ class User(MappedClass, ActivityNode, ActivityObject):
 
     def set_password(self, new_password):
         return plugin.AuthenticationProvider.get(request).set_password(
-            self, self.password, new_password)
+            self, None, new_password)
 
     @classmethod
     def anonymous(cls):

http://git-wip-us.apache.org/repos/asf/allura/blob/7e5737a2/Allura/allura/tests/model/test_auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/model/test_auth.py b/Allura/allura/tests/model/test_auth.py
index 748b920..6389002 100644
--- a/Allura/allura/tests/model/test_auth.py
+++ b/Allura/allura/tests/model/test_auth.py
@@ -28,9 +28,10 @@ from nose.tools import (
     assert_not_in,
     assert_in,
     assert_true,
+    assert_raises,
 )
 from pylons import tmpl_context as c, app_globals as g
-from webob import Request
+from webob import Request, exc
 from mock import patch, Mock
 from datetime import datetime, timedelta
 
@@ -62,11 +63,25 @@ class TestLocalAuthenticationProvider(object):
         assert ep('test_pass') != ep('test_pass')
         assert ep('test_pass', '0000') == ep('test_pass', '0000')
 
+    def test_set_password_with_old_password(self):
+        user = Mock()
+        user.__ming__ = Mock()
+        self.provider.validate_password = lambda u, p: False
+        assert_raises(
+            exc.HTTPUnauthorized,
+            self.provider.set_password, user, 'old', 'new')
+        assert_equal(user._encode_password.call_count, 0)
+
+        self.provider.validate_password = lambda u, p: True
+        self.provider.set_password(user, 'old', 'new')
+        user._encode_password.assert_callued_once_with('new')
+
     def test_set_password_sets_last_updated(self):
         user = Mock()
+        user.__ming__ = Mock()
         user.last_password_updated = None
         now1 = datetime.utcnow()
-        self.provider.set_password(user, '', '')
+        self.provider.set_password(user, None, 'new')
         now2 = datetime.utcnow()
         assert_true(user.last_password_updated > now1)
         assert_true(user.last_password_updated < now2)