[#2379] Add reset for reset_key on successful password change

Test adapted for older CKAN versions

ckan/controllers/user.py

@@ -399,8 +399,6 @@ def request_reset(self):
 
     def perform_reset(self, id):
         # FIXME 403 error for invalid key is a non helpful page
-        # FIXME We should reset the reset key when it is used to prevent
-        # reuse of the url
         context = {'model': model, 'session': model.Session,
                    'user': c.user,
                    'keep_sensitive_data': True}
@@ -430,6 +428,7 @@ def perform_reset(self, id):
                 user_dict['password'] = new_password
                 user_dict['reset_key'] = c.reset_key
                 user = get_action('user_update')(context, user_dict)
+                mailer.create_reset_key(user_obj)
 
                 h.flash_success(_("Your password has been reset."))
                 h.redirect_to('/')

ckan/tests/functional/test_user.py

@@ -935,3 +935,23 @@ def test_perform_reset_user_password_link_user_incorrect(self):
                          id='randomness',  # i.e. incorrect
                          key='randomness')
         res = self.app.get(offset, status=404)
+
+    def test_perform_reset_for_key_change(self):
+        from ckan.lib.mailer import create_reset_key
+
+        CreateTestData.create_user('jack', email='a@a.com')
+        user = model.User.by_name(u'jack')
+        create_reset_key(user)
+        key = user.reset_key
+        password = 'password'
+        params = {'password1': password, 'password2': password}
+
+        offset = url_for(controller='user',
+                         action='perform_reset',
+                         id=user.id,
+                         key=user.reset_key)
+
+        res = self.app.post(offset, params=params, extra_environ={'REMOTE_USER': str(user.name)})
+
+        user = model.User.by_name(u'jack')
+        assert key != user.reset_key