[#2370] add reset for reset_key on successful password change

Adapted for this branch tests

ckan/controllers/user.py

@@ -445,8 +445,6 @@ def request_reset(self):
 
     def perform_reset(self, id):
         # FIXME 403 error for invalid key is a non helpful page
-        # FIXME We should reset the reset key when it is used to prevent
-        # reuse of the url
         context = {'model': model, 'session': model.Session,
                    'user': id,
                    'keep_email': True}
@@ -477,6 +475,7 @@ def perform_reset(self, id):
                 user_dict['reset_key'] = c.reset_key
                 user_dict['state'] = model.State.ACTIVE
                 user = get_action('user_update')(context, user_dict)
+                mailer.create_reset_key(user_obj)
 
                 h.flash_success(_("Your password has been reset."))
                 h.redirect_to('/')

ckan/new_tests/controllers/test_user.py

@@ -0,0 +1,28 @@
+from nose.tools import assert_true, assert_false
+
+from routes import url_for
+
+import ckan.new_tests.helpers as helpers
+import ckan.new_tests.factories as factories
+from ckan.lib.mailer import create_reset_key
+
+
+class TestPackageControllerNew(helpers.FunctionalTestBase):
+
+    def test_perform_reset_for_key_change(self):
+        password = 'password'
+        params = {'password1': password, 'password2': password}
+        user = factories.User()
+        user_obj = helpers.model.User.by_name(user['name'])
+        create_reset_key(user_obj)
+        key = user_obj.reset_key
+
+        app = self._get_test_app()
+        offset = url_for(controller='user',
+                         action='perform_reset',
+                         id=user_obj.id,
+                         key=user_obj.reset_key)
+        response = app.post(offset, params=params, status=302)
+        user_obj = helpers.model.User.by_name(user['name'])  # Update user_obj
+
+        assert_true(key != user_obj.reset_key)