You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by jo...@apache.org on 2013/11/07 23:00:07 UTC
git commit: [#6783] Return 404 for forgot password pages if disabled
Updated Branches:
refs/heads/master 7c7b19773 -> 4122b0f41
[#6783] Return 404 for forgot password pages if disabled
Signed-off-by: Cory Johns <cj...@slashdotmedia.com>
Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/4122b0f4
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/4122b0f4
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/4122b0f4
Branch: refs/heads/master
Commit: 4122b0f419312cbcf67214689888d7ef152a7244
Parents: 7c7b197
Author: Cory Johns <cj...@slashdotmedia.com>
Authored: Thu Nov 7 21:59:33 2013 +0000
Committer: Cory Johns <cj...@slashdotmedia.com>
Committed: Thu Nov 7 21:59:33 2013 +0000
----------------------------------------------------------------------
Allura/allura/controllers/auth.py | 8 ++++++++
Allura/allura/tests/functional/test_auth.py | 10 ++++++++++
2 files changed, 18 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/4122b0f4/Allura/allura/controllers/auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/controllers/auth.py b/Allura/allura/controllers/auth.py
index 35bcf81..d945394 100644
--- a/Allura/allura/controllers/auth.py
+++ b/Allura/allura/controllers/auth.py
@@ -173,6 +173,8 @@ class AuthController(BaseController):
@expose('jinja:allura:templates/forgotten_password.html')
def forgotten_password(self, hash=None, **kw):
provider = plugin.AuthenticationProvider.get(request)
+ if not provider.forgotten_password_process:
+ raise wexc.HTTPNotFound()
if not hash:
c.forgotten_password_form = F.forgotten_password_form
else:
@@ -184,6 +186,9 @@ class AuthController(BaseController):
@require_post()
@validate(F.recover_password_change_form, error_handler=forgotten_password)
def set_new_password(self, hash=None, pw=None, pw2=None):
+ provider = plugin.AuthenticationProvider.get(request)
+ if not provider.forgotten_password_process:
+ raise wexc.HTTPNotFound()
user = self._validate_hash(hash)
user.set_password(pw)
user.set_tool_data('AuthPasswordReset', hash='', hash_expiry='')
@@ -194,6 +199,9 @@ class AuthController(BaseController):
@require_post()
@validate(F.forgotten_password_form, error_handler=forgotten_password)
def password_recovery_hash(self, email=None, **kw):
+ provider = plugin.AuthenticationProvider.get(request)
+ if not provider.forgotten_password_process:
+ raise wexc.HTTPNotFound()
if not email:
redirect('/')
user_record = M.User.by_email_address(email)
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/4122b0f4/Allura/allura/tests/functional/test_auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/functional/test_auth.py b/Allura/allura/tests/functional/test_auth.py
index 7919206..4bb106d 100644
--- a/Allura/allura/tests/functional/test_auth.py
+++ b/Allura/allura/tests/functional/test_auth.py
@@ -797,6 +797,16 @@ To reset your password on %s, please visit the following URL:
r = self.app.post('/auth/set_new_password/%s' % hash.encode('utf-8'), {'pw': '154321', 'pw2': '154321'})
assert_in('Unable to process reset, please try again', r.follow().body)
+ @patch('allura.lib.plugin.AuthenticationProvider')
+ def test_provider_disabled(self, AP):
+ user = M.User.query.get(username='test-admin')
+ ap = AP.get()
+ ap.forgotten_password_process = False
+ ap.authenticate_request()._id = user._id
+ self.app.get('/auth/forgotten_password', status=404)
+ self.app.post('/auth/set_new_password', {'pw': 'foo', 'pw2': 'foo'}, status=404)
+ self.app.post('/auth/password_recovery_hash', {'email': 'foo'}, status=404)
+
class TestOAuth(TestController):