You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by br...@apache.org on 2016/09/09 18:11:43 UTC
[1/2] allura git commit: [#8125] require user to be logged in to
their account to verify a new email address
Repository: allura
Updated Branches:
refs/heads/master 32ebab900 -> abc3b8e76
[#8125] require user to be logged in to their account to verify a new email address
Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/abc3b8e7
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/abc3b8e7
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/abc3b8e7
Branch: refs/heads/master
Commit: abc3b8e76d4abb30f550bce77daf9207e2897f93
Parents: 9abd808
Author: Dave Brondsema <da...@brondsema.net>
Authored: Thu Sep 8 12:26:05 2016 -0400
Committer: Dave Brondsema <da...@brondsema.net>
Committed: Fri Sep 9 14:11:35 2016 -0400
----------------------------------------------------------------------
Allura/allura/controllers/auth.py | 19 +++++++++++---
Allura/allura/tests/functional/test_auth.py | 33 +++++++++++++++++++++++-
2 files changed, 48 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/allura/blob/abc3b8e7/Allura/allura/controllers/auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/controllers/auth.py b/Allura/allura/controllers/auth.py
index 3c665cf..2009515 100644
--- a/Allura/allura/controllers/auth.py
+++ b/Allura/allura/controllers/auth.py
@@ -261,13 +261,26 @@ class AuthController(BaseController):
flash('No such address', 'error')
redirect(request.referer)
- def _verify_addr(self, addr):
+ def _verify_addr(self, addr, do_auth_check=True):
confirmed_by_other = M.EmailAddress.find(dict(email=addr.email, confirmed=True)).all() if addr else []
confirmed_by_other = filter(lambda item: item != addr, confirmed_by_other)
if addr and not confirmed_by_other:
- addr.confirmed = True
user = addr.claimed_by_user(include_pending=True)
+ if do_auth_check and not user.pending:
+ # pending is ok, since you can't be logged in to your account yet :)
+ require_authenticated()
+ if c.user != user:
+ flash('You must be logged in to the correct account', 'warning')
+ # raising HTTPUnauthorized does this same logic, but doesn't preserve the flash() message
+ # so we have to do similar logic as LoginRedirectMiddleware right here
+ login_url = tg.config.get('auth.login_url', '/auth/')
+ return_to = request.environ['PATH_INFO']
+ if request.environ.get('QUERY_STRING'):
+ return_to += '?' + request.environ['QUERY_STRING']
+ redirect(login_url, {'return_to': return_to})
+
+ addr.confirmed = True
flash('Email address confirmed')
h.auditlog_user('Email address verified: %s', addr.email, user=user)
if(user.get_pref('email_address') == None):
@@ -562,7 +575,7 @@ class PreferencesController(BaseController):
if not admin:
em.send_verification_link()
else:
- AuthController()._verify_addr(em)
+ AuthController()._verify_addr(em, do_auth_check=False)
else:
em.send_claim_attempt()
http://git-wip-us.apache.org/repos/asf/allura/blob/abc3b8e7/Allura/allura/tests/functional/test_auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/functional/test_auth.py b/Allura/allura/tests/functional/test_auth.py
index 2b957b9..232ff16 100644
--- a/Allura/allura/tests/functional/test_auth.py
+++ b/Allura/allura/tests/functional/test_auth.py
@@ -67,7 +67,7 @@ class TestAuth(TestController):
ThreadLocalORMSession.flush_all()
r = self.app.get('/auth/verify_addr', params=dict(a='foo'))
assert json.loads(self.webflash(r))['status'] == 'error', self.webflash(r)
- ea = M.EmailAddress.find().first()
+ ea = M.EmailAddress.find({'email': email}).first()
r = self.app.get('/auth/verify_addr', params=dict(a=ea.nonce))
assert json.loads(self.webflash(r))['status'] == 'ok', self.webflash(r)
r = self.app.get('/auth/logout')
@@ -357,6 +357,37 @@ class TestAuth(TestController):
email = M.EmailAddress.find(dict(email=email_address, claimed_by_user_id=user._id)).first()
assert not email.confirmed
+ def test_verify_addr_correct_session(self):
+ self.app.get('/') # establish session
+ email_address = 'test_abcd@domain.net'
+
+ # test-user claimed email address
+ user = M.User.query.get(username='test-user')
+ user.claim_address(email_address)
+ email = M.EmailAddress.find(dict(email=email_address, claimed_by_user_id=user._id)).first()
+ email.confirmed = False
+ ThreadLocalORMSession.flush_all()
+
+ self.app.post('/auth/send_verification_link',
+ params=dict(a=email_address,
+ _session_id=self.app.cookies['_session_id']),
+ extra_environ=dict(username='test-user'))
+
+ # logged out, gets redirected to login page
+ r = self.app.get('/auth/verify_addr', params=dict(a=email.nonce), extra_environ=dict(username='*anonymous'))
+ assert_in('/auth/?return_to=%2Fauth%2Fverify_addr', r.location)
+
+ # logged in as someone else
+ r = self.app.get('/auth/verify_addr', params=dict(a=email.nonce), extra_environ=dict(username='test-admin'))
+ assert_in('/auth/?return_to=%2Fauth%2Fverify_addr', r.location)
+ assert_equal('You must be logged in to the correct account', json.loads(self.webflash(r))['message'])
+ assert_equal('warning', json.loads(self.webflash(r))['status'])
+
+ # logged in as correct user
+ r = self.app.get('/auth/verify_addr', params=dict(a=email.nonce), extra_environ=dict(username='test-user'))
+ assert_in('confirmed', json.loads(self.webflash(r))['message'])
+ assert_equal('ok', json.loads(self.webflash(r))['status'])
+
@staticmethod
def _create_password_reset_hash():
""" Generates a password reset token for a given user.
[2/2] allura git commit: [#8125] delete unused file (from openid
login days)
Posted by br...@apache.org.
[#8125] delete unused file (from openid login days)
Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/9abd8080
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/9abd8080
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/9abd8080
Branch: refs/heads/master
Commit: 9abd808063af2b45c79c66620ea8125e07423fcb
Parents: 32ebab9
Author: Dave Brondsema <da...@brondsema.net>
Authored: Thu Sep 8 12:25:20 2016 -0400
Committer: Dave Brondsema <da...@brondsema.net>
Committed: Fri Sep 9 14:11:35 2016 -0400
----------------------------------------------------------------------
Allura/allura/templates/custom_login.html | 29 --------------------------
1 file changed, 29 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/allura/blob/9abd8080/Allura/allura/templates/custom_login.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/custom_login.html b/Allura/allura/templates/custom_login.html
deleted file mode 100644
index 94f130b..0000000
--- a/Allura/allura/templates/custom_login.html
+++ /dev/null
@@ -1,29 +0,0 @@
-{#-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
--#}
-{% extends g.theme.master %}
-
-{% block title %}{{title}}{% endblock %}
-
-{% block header %}{{prompt}}{% endblock %}
-
-{% block content %}
- <div id="loginform">
- {{form|safe}}
- </div>
-{% endblock %}