astakos: Minor improvements in email change process

- Explicit handling of invalid email change activation code. - Permission denied response if user is authenticated and email change code is assigned to another user. - Improve logging - Updated tests

astakos: Minor improvements in email change process
- Explicit handling of invalid email change activation code. - Permission denied response if user is authenticated and email change code is assigned to another user. - Improve logging - Updated tests
61191b7d · Kostas Papadimitriou · 915ea275 · 61191b7d · 61191b7d
Commit 61191b7d authored May 20, 2013 by Kostas Papadimitriou
--- a/snf-astakos-app/astakos/im/tests/auth.py
+++ b/snf-astakos-app/astakos/im/tests/auth.py
@@ -650,9 +650,16 @@ class UserActionsTests(TestCase):
        change2 = EmailChange.objects.get()

        r = self.client.get(change1.get_url())
-        self.assertEquals(r.status_code, 302)
+        self.assertEquals(r.status_code, 404)
        self.client.logout()

+        invalid_client = Client()
+        r = invalid_client.post('/im/local?',
+                                {'username': 'existing@synnefo.org',
+                                 'password': 'password'})
+        r = invalid_client.get(change2.get_url(), follow=True)
+        self.assertEquals(r.status_code, 403)
+
        r = self.client.post('/im/local?next=' + change2.get_url(),
                             {'username': 'kpap@synnefo.org',
                              'password': 'password',
@@ -819,7 +826,8 @@ class TestAuthProviderViews(TestCase):
        self.assertEqual(local_provider.get_login_policy, False)

        cl_olduser.logout()
-        login_data = {'username': 'olduser@synnefo.org', 'password': 'password'}
+        login_data = {'username': 'olduser@synnefo.org',
+                      'password': 'password'}
        r = cl_olduser.post('/im/local', login_data, follow=True)
        self.assertContains(r, "href='/im/login/shibboleth'>Academic login")
        Group.objects.all().delete()

--- a/snf-astakos-app/astakos/im/views.py
+++ b/snf-astakos-app/astakos/im/views.py
@@ -781,14 +781,28 @@ def change_email(request, activation_key=None,

    if activation_key:
        try:
-            user = EmailChange.objects.change_email(activation_key)
-            if request.user.is_authenticated() and \
-                request.user == user or not \
+            try:
+                email_change = EmailChange.objects.get(
+                    activation_key=activation_key)
+            except EmailChange.DoesNotExist:
+                transaction.rollback()
+                logger.error("[change-email] Invalid or used activation "
+                             "code, %s", activation_key)
+                raise Http404
+
+            if (request.user.is_authenticated() and \
+                request.user == email_change.user) or not \
                    request.user.is_authenticated():
+                user = EmailChange.objects.change_email(activation_key)
                msg = _(astakos_messages.EMAIL_CHANGED)
                messages.success(request, msg)
                transaction.commit()
                return HttpResponseRedirect(reverse('edit_profile'))
+            else:
+                logger.error("[change-email] Access from invalid user, %s %s",
+                             email_change.user, request.user.log_display)
+                transaction.rollback()
+                raise PermissionDenied
        except ValueError, e:
            messages.error(request, e)
            transaction.rollback()