You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by ke...@apache.org on 2018/02/09 17:52:54 UTC
[1/2] allura git commit: Ensure after a pwd reset,
you can still log in. Test improvements.
Repository: allura
Updated Branches:
refs/heads/master b87747c84 -> 57d9f1944
Ensure after a pwd reset, you can still log in. Test improvements.
In normal allura usage (including from this test), not much triggers
a session to be created for anonymous users. The only thing I could
find was e.g. /p/test/code/123/tree/branches/foo.txt?diff=531621c0b9363c46a3906b8a:122&diformat=sidebyside
which saves 'diformat' in the session. Custom code could do so also.
*If* that happens, then we need to ensure that the current session
is preserved through the password reset, so that logging in still
works.
The test is not very strong (passes even without the change) since
it doesn't do anything to cause a session gets created. It seemed
out of place to create code repo and fetch a diff url, within this
test.
Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/a5fd39a7
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/a5fd39a7
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/a5fd39a7
Branch: refs/heads/master
Commit: a5fd39a7d223968c49ca1a78f5c4fc69a5b98d12
Parents: d9a4fc1
Author: Dave Brondsema <da...@brondsema.net>
Authored: Thu Feb 8 11:37:13 2018 -0500
Committer: Dave Brondsema <da...@brondsema.net>
Committed: Thu Feb 8 11:37:13 2018 -0500
----------------------------------------------------------------------
Allura/allura/controllers/auth.py | 1 +
Allura/allura/tests/functional/test_auth.py | 57 +++++++++++++++++-------
2 files changed, 41 insertions(+), 17 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/allura/blob/a5fd39a7/Allura/allura/controllers/auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/controllers/auth.py b/Allura/allura/controllers/auth.py
index 0299abd..12523cc 100644
--- a/Allura/allura/controllers/auth.py
+++ b/Allura/allura/controllers/auth.py
@@ -174,6 +174,7 @@ class AuthController(BaseController):
user = self._validate_hash(hash)
user.set_password(pw)
user.set_tool_data('AuthPasswordReset', hash='', hash_expiry='') # Clear password reset token
+ user.set_tool_data('allura', pwd_reset_preserve_session=session.id)
h.auditlog_user('Password changed (through recovery process)', user=user)
flash('Password changed')
redirect('/auth/?return_to=/') # otherwise the default return_to would be the forgotten_password referrer page
http://git-wip-us.apache.org/repos/asf/allura/blob/a5fd39a7/Allura/allura/tests/functional/test_auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/functional/test_auth.py b/Allura/allura/tests/functional/test_auth.py
index 54e2dff..59c9428 100644
--- a/Allura/allura/tests/functional/test_auth.py
+++ b/Allura/allura/tests/functional/test_auth.py
@@ -1337,6 +1337,11 @@ class TestPreferences(TestController):
class TestPasswordReset(TestController):
test_primary_email = 'testprimaryaddr@mail.com'
+ def setUp(self):
+ super(TestPasswordReset, self).setUp()
+ # so test-admin isn't automatically logged in for all requests
+ self.app.extra_environ = {'disable_auth_magic': 'True'}
+
@patch('allura.tasks.mail_tasks.sendmail')
@patch('allura.lib.helpers.gen_message_id')
def test_email_unconfirmed(self, gen_message_id, sendmail):
@@ -1413,20 +1418,38 @@ class TestPasswordReset(TestController):
def test_password_reset(self, gen_message_id, sendmail):
self.app.get('/') # establish session
user = M.User.query.get(username='test-admin')
- email = M.EmailAddress.find(
- {'claimed_by_user_id': user._id}).first()
+ email = M.EmailAddress.find({'claimed_by_user_id': user._id}).first()
email.confirmed = True
ThreadLocalORMSession.flush_all()
old_pw_hash = user.password
- with td.audits('Password recovery link sent to: '+ email.email, user=True):
+
+ # request a reset
+ with td.audits('Password recovery link sent to: ' + email.email, user=True):
r = self.app.post('/auth/password_recovery_hash', {'email': email.email,
'_session_id': self.app.cookies['_session_id'],
})
+ # confirm some fields
hash = user.get_tool_data('AuthPasswordReset', 'hash')
hash_expiry = user.get_tool_data('AuthPasswordReset', 'hash_expiry')
assert hash is not None
assert hash_expiry is not None
+ # confirm email sent
+ text = '''Your username is test-admin
+
+To reset your password on %s, please visit the following URL:
+
+%s/auth/forgotten_password/%s''' % (config['site_name'], config['base_url'], hash)
+ sendmail.post.assert_called_once_with(
+ sender='noreply@localhost',
+ toaddr=email.email,
+ fromaddr=u'"{}" <{}>'.format(config['site_name'], config['forgemail.return_path']),
+ reply_to=config['forgemail.return_path'],
+ subject='Allura Password recovery',
+ message_id=gen_message_id(),
+ text=text)
+
+ # load reset form and fill it out
r = self.app.get('/auth/forgotten_password/%s' % hash)
assert_in('Enter a new password for: test-admin', r)
assert_in('New Password:', r)
@@ -1436,31 +1459,31 @@ class TestPasswordReset(TestController):
with td.audits('Password changed \(through recovery process\)', user=True):
# escape parentheses, so they would not be treated as regex group
r = form.submit()
+
+ # confirm password changed and works
user = M.User.query.get(username='test-admin')
assert_not_equal(old_pw_hash, user.password)
provider = plugin.LocalAuthenticationProvider(None)
assert_true(provider._validate_password(user, new_password))
- text = '''Your username is test-admin
-
-To reset your password on %s, please visit the following URL:
-
-%s/auth/forgotten_password/%s''' % (config['site_name'], config['base_url'], hash)
-
- sendmail.post.assert_called_once_with(
- sender='noreply@localhost',
- toaddr=email.email,
- fromaddr=u'"{}" <{}>'.format(config['site_name'], config['forgemail.return_path']),
- reply_to=config['forgemail.return_path'],
- subject='Allura Password recovery',
- message_id=gen_message_id(),
- text=text)
+ # confirm reset fields cleared
user = M.User.query.get(username='test-admin')
hash = user.get_tool_data('AuthPasswordReset', 'hash')
hash_expiry = user.get_tool_data('AuthPasswordReset', 'hash_expiry')
assert_equal(hash, '')
assert_equal(hash_expiry, '')
+ # confirm can log in now in same session
+ r = r.follow()
+ assert 'Log Out' not in r, r
+ form = r.forms[0]
+ encoded = self.app.antispam_field_names(r.form)
+ form[encoded['username']] = 'test-admin'
+ form[encoded['password']] = new_password
+ r = form.submit(status=302)
+ r = r.follow()
+ assert 'Log Out' in r, r
+
@patch('allura.tasks.mail_tasks.sendsimplemail')
@patch('allura.lib.helpers.gen_message_id')
def test_hash_expired(self, gen_message_id, sendmail):
[2/2] allura git commit: Merge commit
'a5fd39a7d223968c49ca1a78f5c4fc69a5b98d12'
Posted by ke...@apache.org.
Merge commit 'a5fd39a7d223968c49ca1a78f5c4fc69a5b98d12'
Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/57d9f194
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/57d9f194
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/57d9f194
Branch: refs/heads/master
Commit: 57d9f19442c70a350fa342c1c5624cfb0e1e3fd8
Parents: b87747c a5fd39a
Author: Kenton Taylor <kt...@slashdotmedia.com>
Authored: Fri Feb 9 17:52:44 2018 +0000
Committer: Kenton Taylor <kt...@slashdotmedia.com>
Committed: Fri Feb 9 17:52:44 2018 +0000
----------------------------------------------------------------------
Allura/allura/controllers/auth.py | 1 +
Allura/allura/tests/functional/test_auth.py | 57 +++++++++++++++++-------
2 files changed, 41 insertions(+), 17 deletions(-)
----------------------------------------------------------------------