Merge pull request #2872 from Zharktas/2870-require-password-when-cha…

…nging-email #2870: require password when changing email
ckan · Mar 10, 2016 · 6674419 · 6674419
2 parents ca8b046 + f4c31b2
commit 6674419
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 1 deletion.
diff --git a/ckan/controllers/user.py b/ckan/controllers/user.py
@@ -323,7 +323,10 @@ def _save_edit(self, id, context):
             context['message'] = data_dict.get('log_message', '')
             data_dict['id'] = id
 
-            if data_dict['password1'] and data_dict['password2']:
+            email_changed = data_dict['email'] != c.userobj.email
+
+            if (data_dict['password1'] and data_dict['password2']) \
+                    or email_changed:
                 identity = {'login': c.user,
                             'password': data_dict['old_password']}
                 auth = authenticator.UsernamePasswordAuthenticator()

diff --git a/ckan/tests/controllers/test_user.py b/ckan/tests/controllers/test_user.py
@@ -246,6 +246,37 @@ def test_edit_user(self):
         assert_equal(user.about, 'new about')
         assert_equal(user.activity_streams_email_notifications, True)
 
+    def test_email_change_without_password(self):
+
+        app = self._get_test_app()
+        env, response, user = _get_user_edit_page(app)
+
+        form = response.forms['user-edit-form']
+
+        # new values
+        form['email'] = 'new@example.com'
+
+        # factory returns user with password 'pass'
+        form.fields['old_password'][0].value = 'wrong-pass'
+
+        response = webtest_submit(form, 'save', status=200, extra_environ=env)
+        assert_true('Old Password: incorrect password' in response)
+
+    def test_email_change_with_password(self):
+        app = self._get_test_app()
+        env, response, user = _get_user_edit_page(app)
+
+        form = response.forms['user-edit-form']
+
+        # new values
+        form['email'] = 'new@example.com'
+
+        # factory returns user with password 'pass'
+        form.fields['old_password'][0].value = 'pass'
+
+        response = submit_and_follow(app, form, env, 'save')
+        assert_true('Profile updated' in response)
+
     def test_perform_reset_for_key_change(self):
         password = 'password'
         params = {'password1': password, 'password2': password}