From b928ed878018508df1b301c301b83a7de09f3f6a Mon Sep 17 00:00:00 2001
From: amercader <amercadero@gmail.com>
Date: Fri, 8 May 2015 14:02:17 +0100
Subject: [PATCH] [#2370] add reset for reset_key on successful password change

Adapted for this branch tests
---
 ckan/controllers/user.py                |  3 +--
 ckan/new_tests/controllers/test_user.py | 28 +++++++++++++++++++++++++
 2 files changed, 29 insertions(+), 2 deletions(-)
 create mode 100644 ckan/new_tests/controllers/test_user.py

diff --git a/ckan/controllers/user.py b/ckan/controllers/user.py
index 92adaf6ad15..b9fe6ce6c01 100644
--- a/ckan/controllers/user.py
+++ b/ckan/controllers/user.py
@@ -445,8 +445,6 @@ def request_reset(self):
 
     def perform_reset(self, id):
         # FIXME 403 error for invalid key is a non helpful page
-        # FIXME We should reset the reset key when it is used to prevent
-        # reuse of the url
         context = {'model': model, 'session': model.Session,
                    'user': id,
                    'keep_email': True}
@@ -477,6 +475,7 @@ def perform_reset(self, id):
                 user_dict['reset_key'] = c.reset_key
                 user_dict['state'] = model.State.ACTIVE
                 user = get_action('user_update')(context, user_dict)
+                mailer.create_reset_key(user_obj)
 
                 h.flash_success(_("Your password has been reset."))
                 h.redirect_to('/')
diff --git a/ckan/new_tests/controllers/test_user.py b/ckan/new_tests/controllers/test_user.py
new file mode 100644
index 00000000000..b52c189138e
--- /dev/null
+++ b/ckan/new_tests/controllers/test_user.py
@@ -0,0 +1,28 @@
+from nose.tools import assert_true, assert_false
+
+from routes import url_for
+
+import ckan.new_tests.helpers as helpers
+import ckan.new_tests.factories as factories
+from ckan.lib.mailer import create_reset_key
+
+
+class TestPackageControllerNew(helpers.FunctionalTestBase):
+
+    def test_perform_reset_for_key_change(self):
+        password = 'password'
+        params = {'password1': password, 'password2': password}
+        user = factories.User()
+        user_obj = helpers.model.User.by_name(user['name'])
+        create_reset_key(user_obj)
+        key = user_obj.reset_key
+
+        app = self._get_test_app()
+        offset = url_for(controller='user',
+                         action='perform_reset',
+                         id=user_obj.id,
+                         key=user_obj.reset_key)
+        response = app.post(offset, params=params, status=302)
+        user_obj = helpers.model.User.by_name(user['name'])  # Update user_obj
+
+        assert_true(key != user_obj.reset_key)