From ded3400b52ca6a41098dd5ba1f6f047aed11824f Mon Sep 17 00:00:00 2001
From: amercader <amercadero@gmail.com>
Date: Mon, 11 May 2015 14:13:32 +0100
Subject: [PATCH] [#2379] Add reset for reset_key on successful password change

Test adapted for older CKAN versions
---
 ckan/controllers/user.py           |  3 +--
 ckan/tests/functional/test_user.py | 20 ++++++++++++++++++++
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/ckan/controllers/user.py b/ckan/controllers/user.py
index 83269c10059..71666637698 100644
--- a/ckan/controllers/user.py
+++ b/ckan/controllers/user.py
@@ -399,8 +399,6 @@ def request_reset(self):
 
     def perform_reset(self, id):
         # FIXME 403 error for invalid key is a non helpful page
-        # FIXME We should reset the reset key when it is used to prevent
-        # reuse of the url
         context = {'model': model, 'session': model.Session,
                    'user': c.user,
                    'keep_sensitive_data': True}
@@ -430,6 +428,7 @@ def perform_reset(self, id):
                 user_dict['password'] = new_password
                 user_dict['reset_key'] = c.reset_key
                 user = get_action('user_update')(context, user_dict)
+                mailer.create_reset_key(user_obj)
 
                 h.flash_success(_("Your password has been reset."))
                 h.redirect_to('/')
diff --git a/ckan/tests/functional/test_user.py b/ckan/tests/functional/test_user.py
index 6b8baf3e62c..28183a68a18 100644
--- a/ckan/tests/functional/test_user.py
+++ b/ckan/tests/functional/test_user.py
@@ -935,3 +935,23 @@ def test_perform_reset_user_password_link_user_incorrect(self):
                          id='randomness',  # i.e. incorrect
                          key='randomness')
         res = self.app.get(offset, status=404)
+
+    def test_perform_reset_for_key_change(self):
+        from ckan.lib.mailer import create_reset_key
+
+        CreateTestData.create_user('jack', email='a@a.com')
+        user = model.User.by_name(u'jack')
+        create_reset_key(user)
+        key = user.reset_key
+        password = 'password'
+        params = {'password1': password, 'password2': password}
+
+        offset = url_for(controller='user',
+                         action='perform_reset',
+                         id=user.id,
+                         key=user.reset_key)
+
+        res = self.app.post(offset, params=params, extra_environ={'REMOTE_USER': str(user.name)})
+
+        user = model.User.by_name(u'jack')
+        assert key != user.reset_key