Commit 61191b7d authored by Kostas Papadimitriou's avatar Kostas Papadimitriou
Browse files

astakos: Minor improvements in email change process

- Explicit handling of invalid email change activation code.
- Permission denied response if user is authenticated and email change code
  is assigned to another user.
- Improve logging
- Updated tests
parent 915ea275
......@@ -650,9 +650,16 @@ class UserActionsTests(TestCase):
change2 = EmailChange.objects.get()
r = self.client.get(change1.get_url())
self.assertEquals(r.status_code, 302)
self.assertEquals(r.status_code, 404)
self.client.logout()
invalid_client = Client()
r = invalid_client.post('/im/local?',
{'username': 'existing@synnefo.org',
'password': 'password'})
r = invalid_client.get(change2.get_url(), follow=True)
self.assertEquals(r.status_code, 403)
r = self.client.post('/im/local?next=' + change2.get_url(),
{'username': 'kpap@synnefo.org',
'password': 'password',
......@@ -819,7 +826,8 @@ class TestAuthProviderViews(TestCase):
self.assertEqual(local_provider.get_login_policy, False)
cl_olduser.logout()
login_data = {'username': 'olduser@synnefo.org', 'password': 'password'}
login_data = {'username': 'olduser@synnefo.org',
'password': 'password'}
r = cl_olduser.post('/im/local', login_data, follow=True)
self.assertContains(r, "href='/im/login/shibboleth'>Academic login")
Group.objects.all().delete()
......
......@@ -781,14 +781,28 @@ def change_email(request, activation_key=None,
if activation_key:
try:
user = EmailChange.objects.change_email(activation_key)
if request.user.is_authenticated() and \
request.user == user or not \
try:
email_change = EmailChange.objects.get(
activation_key=activation_key)
except EmailChange.DoesNotExist:
transaction.rollback()
logger.error("[change-email] Invalid or used activation "
"code, %s", activation_key)
raise Http404
if (request.user.is_authenticated() and \
request.user == email_change.user) or not \
request.user.is_authenticated():
user = EmailChange.objects.change_email(activation_key)
msg = _(astakos_messages.EMAIL_CHANGED)
messages.success(request, msg)
transaction.commit()
return HttpResponseRedirect(reverse('edit_profile'))
else:
logger.error("[change-email] Access from invalid user, %s %s",
email_change.user, request.user.log_display)
transaction.rollback()
raise PermissionDenied
except ValueError, e:
messages.error(request, e)
transaction.rollback()
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment