Merge 1fc84ce03e into aa677d51c0

rest_auth/locale/de/LC_MESSAGES/django.po

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2016-02-02 14:11+0100\n"
+"POT-Creation-Date: 2016-10-14 10:21+0200\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -18,82 +18,78 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
 
-#: registration/serializers.py:54
+#: registration/serializers.py:52
 msgid "View is not defined, pass it as a context variable"
 msgstr "\"View\" ist nicht definiert, übergib es als Contextvariable"
 
-#: registration/serializers.py:59
+#: registration/serializers.py:57
 msgid "Define adapter_class in view"
 msgstr "Definier \"adapter_class\" in view"
 
-#: registration/serializers.py:78
+#: registration/serializers.py:76
 msgid "Define callback_url in view"
 msgstr "Definier \"callback_url\" in view"
 
-#: registration/serializers.py:82
+#: registration/serializers.py:80
 msgid "Define client_class in view"
 msgstr "Definier \"client_class\" in view"
 
-#: registration/serializers.py:102
+#: registration/serializers.py:100
 msgid "Incorrect input. access_token or code is required."
 msgstr "Falsche Eingabe. \"access_token\" oder \"code\" erforderlich."
 
-#: registration/serializers.py:111
+#: registration/serializers.py:109
 msgid "Incorrect value"
 msgstr "Falscher Wert."
 
-#: registration/serializers.py:140
+#: registration/serializers.py:138
 msgid "A user is already registered with this e-mail address."
 msgstr "Ein User mit dieser E-Mail Adresse ist schon registriert."
 
-#: registration/serializers.py:148
+#: registration/serializers.py:146
 msgid "The two password fields didn't match."
 msgstr "Die beiden Passwörter sind nicht identisch."
 
-#: registration/views.py:64
+#: registration/views.py:79
 msgid "ok"
 msgstr "Ok"
 
-#: serializers.py:29
+#: serializers.py:30
 msgid "Must include \"email\" and \"password\"."
 msgstr "Muss \"email\" und \"password\" enthalten."
 
-#: serializers.py:40
+#: serializers.py:41
 msgid "Must include \"username\" and \"password\"."
 msgstr "Muss \"username\" und \"password\" enthalten."
 
-#: serializers.py:53
+#: serializers.py:54
 msgid "Must include either \"username\" or \"email\" and \"password\"."
 msgstr "Muss entweder \"username\" oder \"email\" und password \"password\""
 
-#: serializers.py:94
+#: serializers.py:95
 msgid "User account is disabled."
 msgstr "Der Useraccount ist deaktiviert."
 
-#: serializers.py:97
+#: serializers.py:98
 msgid "Unable to log in with provided credentials."
 msgstr "Kann nicht mit den angegeben Zugangsdaten anmelden."
 
-#: serializers.py:106
+#: serializers.py:105
 msgid "E-mail is not verified."
 msgstr "E-Mail Adresse ist nicht verifiziert."
 
-#: serializers.py:152
+#: views.py:120
-msgid "Error"
-msgstr "Fehler"
-
-#: views.py:71
 msgid "Successfully logged out."
 msgstr "Erfolgreich ausgeloggt."
 
-#: views.py:111
+#: views.py:161
 msgid "Password reset e-mail has been sent."
 msgstr "Die E-Mail zum Zurücksetzen des Passwortes wurde verschickt."
 
-#: views.py:132
+#: views.py:182
 msgid "Password has been reset with the new password."
 msgstr "Das Passwort wurde mit dem neuen Passwort ersetzt."
 
-#: views.py:150
+#: views.py:200
 msgid "New password has been saved."
 msgstr "Das neue Passwort wurde gespeichert."

rest_auth/serializers.py

@@ -2,6 +2,7 @@ from django.contrib.auth import get_user_model, authenticate
 from django.conf import settings
 from django.contrib.auth.forms import PasswordResetForm, SetPasswordForm
 from django.contrib.auth.tokens import default_token_generator
+from django.core.exceptions import ObjectDoesNotExist
 from django.utils.http import urlsafe_base64_decode as uid_decoder
 from django.utils.translation import ugettext_lazy as _
 from django.utils.encoding import force_text
@@ -101,10 +102,22 @@ class LoginSerializer(serializers.Serializer):
         # If required, is the email verified?
         if 'rest_auth.registration' in settings.INSTALLED_APPS:
             from allauth.account import app_settings
+
+            email_not_verified_msg = _('E-mail is not verified.')
+
             if app_settings.EMAIL_VERIFICATION == app_settings.EmailVerificationMethod.MANDATORY:
-                email_address = user.emailaddress_set.get(email=user.email)
+                # The authenticated user must not strictly be an instance of AUTH_USER_MODEL,
+                # depending on used authentication backends
+                if not hasattr(user, 'emailaddress_set'):
+                    raise serializers.ValidationError(email_not_verified_msg)
+
+                try:
+                    email_address = user.emailaddress_set.get(email=user.email)
+                except ObjectDoesNotExist:
+                    raise serializers.ValidationError(email_not_verified_msg)
+
                 if not email_address.verified:
-                    raise serializers.ValidationError(_('E-mail is not verified.'))
+                    raise serializers.ValidationError(email_not_verified_msg)
 
         attrs['user'] = user
         return attrs

rest_auth/tests/test_api.py

@@ -10,6 +10,21 @@ from allauth.account import app_settings as account_app_settings
 from .test_base import BaseAPITestCase
 
 
+class CustomUser(object):
+    """
+    User without `emailaddress_set`.
+    Should not be able to login via API.
+    """
+
+    is_active = True
+
+
+class CustomUserAuthenticationBackend(object):
+
+    def authenticate(self, *args, **kwargs):
+        return CustomUser()
+
+
 @override_settings(ROOT_URLCONF="tests.urls")
 class APITestCase1(TestCase, BaseAPITestCase):
     """
@@ -468,6 +483,61 @@ class APITestCase1(TestCase, BaseAPITestCase):
         self._login()
         self._logout()
 
+    @override_settings(
+        ACCOUNT_EMAIL_VERIFICATION='mandatory',
+        ACCOUNT_EMAIL_REQUIRED=True,
+        ACCOUNT_EMAIL_CONFIRMATION_HMAC=False
+    )
+    def test_registration_with_email_verification_but_missing_email_address(self):
+        """
+        Possible if user was created without using the register API, e.g. in admin backend.
+        """
+
+        UserModel = get_user_model()
+        user = UserModel(username=self.USERNAME)
+        user.set_password(self.PASS)
+        user.save()
+
+        payload = {
+            "username": self.USERNAME,
+            "password": self.PASS,
+        }
+
+        response = self.post(
+            self.login_url,
+            data=payload,
+            status=status.HTTP_400_BAD_REQUEST
+        )
+
+        # Check against localized message to be sure that the user could not login because of an unverified email
+        self.assertEqual(response.data['non_field_errors'], ['E-mail is not verified.'])
+
+    @override_settings(
+        ACCOUNT_EMAIL_VERIFICATION='mandatory',
+        ACCOUNT_EMAIL_REQUIRED=True,
+        ACCOUNT_EMAIL_CONFIRMATION_HMAC=False,
+        AUTHENTICATION_BACKENDS=['rest_auth.tests.test_api.CustomUserAuthenticationBackend', 'django.contrib.auth.backends.ModelBackend']
+    )
+    def test_registration_with_email_verification_and_custom_authentication_backend(self):
+        """
+        Authenticated user must not strictly be of type AUTH_USER_MODEL.
+        Thus, it is possible that there is also not an email address associated to the user.
+        """
+
+        payload = {
+            "username": self.USERNAME,
+            "password": self.PASS,
+        }
+
+        response = self.post(
+            self.login_url,
+            data=payload,
+            status=status.HTTP_400_BAD_REQUEST
+        )
+
+        # Check against localized message to be sure that the user could not login because of an unverified email
+        self.assertEqual(response.data['non_field_errors'], ['E-mail is not verified.'])
+
     @override_settings(ACCOUNT_LOGOUT_ON_GET=True)
     def test_logout_on_get(self):
         payload = {