add old_password field in PasswordChangeSerializer, disabled by default

2024-11-22 17:16:34 +03:00 · 2014-11-12 11:51:22 +01:00 · 2014-11-12 11:51:22 +01:00 · e8a7b0bdf4
commit e8a7b0bdf4
parent 0fc4d56dae
3 changed files with 53 additions and 4 deletions
--- a/rest_auth/app_settings.py
+++ b/rest_auth/app_settings.py
@ -37,5 +37,3 @@ PasswordChangeSerializer = import_callable(
    serializers.get('PASSWORD_CHANGE_SERIALIZER',
        DefaultPasswordChangeSerializer)
 )
-
-
--- a/rest_auth/serializers.py
+++ b/rest_auth/serializers.py
@ -121,14 +121,31 @@ class PasswordResetConfirmSerializer(serializers.Serializer):

 class PasswordChangeSerializer(serializers.Serializer):

+    old_password = serializers.CharField(max_length=128)
    new_password1 = serializers.CharField(max_length=128)
    new_password2 = serializers.CharField(max_length=128)

    set_password_form_class = SetPasswordForm

+    def __init__(self, *args, **kwargs):
+        self.old_password_field_enabled = getattr(settings,
+            'OLD_PASSWORD_FIELD_ENABLED', False)
+        super(PasswordChangeSerializer, self).__init__(*args, **kwargs)
+
+        if not self.old_password_field_enabled:
+            self.fields.pop('old_password')
+
+        self.request = self.context.get('request')
+        self.user = self.request.user
+
+    def validate_old_password(self, attrs, source):
+        if self.old_password_field_enabled and \
+            not self.user.check_password(attrs.get(source, '')):
+            raise serializers.ValidationError('Invalid password')
+        return attrs
+
    def validate(self, attrs):
-        request = self.context.get('request')
-        self.set_password_form = self.set_password_form_class(user=request.user,
+        self.set_password_form = self.set_password_form_class(user=self.user,
            data=attrs)

        if not self.set_password_form.is_valid():
--- a/rest_auth/tests.py
+++ b/rest_auth/tests.py
@ -248,6 +248,40 @@ class APITestCase1(TestCase, BaseAPITestCase):
        # send empty payload
        self.post(self.password_change_url, data={}, status_code=400)

+    @override_settings(OLD_PASSWORD_FIELD_ENABLED=True)
+    def test_password_change_with_old_password(self):
+        login_payload = {
+            "username": self.USERNAME,
+            "password": self.PASS
+        }
+        User.objects.create_user(self.USERNAME, '', self.PASS)
+        self.post(self.login_url, data=login_payload, status_code=200)
+        self.token = self.response.json['key']
+
+        new_password_payload = {
+            "old_password": "%s!" % self.PASS,  # wrong password
+            "new_password1": "new_person",
+            "new_password2": "new_person"
+        }
+        self.post(self.password_change_url, data=new_password_payload,
+            status_code=400)
+
+        new_password_payload = {
+            "old_password": self.PASS,
+            "new_password1": "new_person",
+            "new_password2": "new_person"
+        }
+        self.post(self.password_change_url, data=new_password_payload,
+            status_code=200)
+
+        # user should not be able to login using old password
+        self.post(self.login_url, data=login_payload, status_code=400)
+
+        # new password should work
+        login_payload['password'] = new_password_payload['new_password1']
+        self.post(self.login_url, data=login_payload, status_code=200)
+
+
    def test_password_reset(self):
        user = User.objects.create_user(self.USERNAME, self.EMAIL, self.PASS)