fix #47 - PasswordResetConfirm doesn't check token

This commit is contained in:
Mateusz Sikora 2015-01-27 16:52:54 +01:00
parent 60c0f949f4
commit 2158fffd2a
2 changed files with 34 additions and 4 deletions

View File

@ -11,6 +11,7 @@ from django.contrib.auth.tokens import default_token_generator
from rest_framework import serializers
from rest_framework.authtoken.models import Token
from rest_framework.authtoken.serializers import AuthTokenSerializer
from rest_framework.exceptions import ValidationError
class LoginSerializer(AuthTokenSerializer):
@ -101,18 +102,17 @@ class PasswordResetConfirmSerializer(serializers.Serializer):
uid = uid_decoder(attrs['uid'])
self.user = UserModel._default_manager.get(pk=uid)
except (TypeError, ValueError, OverflowError, UserModel.DoesNotExist):
self._errors['uid'] = ['Invalid value']
raise ValidationError({'uid': ['Invalid value']})
self.custom_validation(attrs)
# Construct SetPasswordForm instance
self.set_password_form = self.set_password_form_class(user=self.user,
data=attrs)
if not self.set_password_form.is_valid():
self._errors['token'] = ['Invalid value']
raise ValidationError({'token': ['Invalid value']})
if not default_token_generator.check_token(self.user, attrs['token']):
self._errors['token'] = ['Invalid value']
raise ValidationError({'token': ['Invalid value']})
return attrs

View File

@ -293,6 +293,36 @@ class APITestCase1(TestCase, BaseAPITestCase):
self.assertEqual(len(mail.outbox), mail_count + 1)
url_kwargs = self._generate_uid_and_token(user)
url = reverse('rest_password_reset_confirm')
# wrong token
data = {
'new_password1': self.NEW_PASS,
'new_password2': self.NEW_PASS,
'uid': url_kwargs['uid'],
'token': '-wrong-token-'
}
self.post(url, data=data, status_code=400)
# wrong uid
data = {
'new_password1': self.NEW_PASS,
'new_password2': self.NEW_PASS,
'uid': '-wrong-uid-',
'token': url_kwargs['token']
}
self.post(url, data=data, status_code=400)
# wrong token and uid
data = {
'new_password1': self.NEW_PASS,
'new_password2': self.NEW_PASS,
'uid': '-wrong-uid-',
'token': '-wrong-token-'
}
self.post(url, data=data, status_code=400)
# valid payload
data = {
'new_password1': self.NEW_PASS,
'new_password2': self.NEW_PASS,