diff --git a/rootfs/api/tests/test_auth.py b/rootfs/api/tests/test_auth.py index 3d40df9f7..7b55c354d 100644 --- a/rootfs/api/tests/test_auth.py +++ b/rootfs/api/tests/test_auth.py @@ -258,10 +258,20 @@ def test_passwd(self): url = '/v2/auth/register' response = self.client.post(url, submit) self.assertEqual(response.status_code, 201, response.data) - # change password + # change password without new password url = '/v2/auth/passwd' user = User.objects.get(username=username) token = Token.objects.get(user=user).key + response = self.client.post(url, {}, + HTTP_AUTHORIZATION='token {}'.format(token)) + self.assertEqual(response.status_code, 400, response.data) + self.assertEqual(response.data, {'detail': 'new_password is a required field'}) + # change password without password field + response = self.client.post(url, {'new_password': 'test'}, + HTTP_AUTHORIZATION='token {}'.format(token)) + self.assertEqual(response.status_code, 400, response.data) + self.assertEqual(response.data, {'detail': 'password is a required field'}) + # change password submit = { 'password': 'password2', 'new_password': password, diff --git a/rootfs/api/views.py b/rootfs/api/views.py index 0e0651f72..c73d57ec4 100644 --- a/rootfs/api/views.py +++ b/rootfs/api/views.py @@ -93,6 +93,9 @@ def destroy(self, request, **kwargs): return Response(status=status.HTTP_204_NO_CONTENT) def passwd(self, request, **kwargs): + if not request.data.get('new_password'): + raise DeisException("new_password is a required field") + caller_obj = self.get_object() target_obj = self.get_object() if request.data.get('username'): @@ -102,7 +105,9 @@ def passwd(self, request, **kwargs): else: raise PermissionDenied() - if request.data.get('password') or not caller_obj.is_superuser: + if not caller_obj.is_superuser: + if not request.data.get('password'): + raise DeisException("password is a required field") if not target_obj.check_password(request.data['password']): raise AuthenticationFailed('Current password does not match')