From 77772429e81edc36a43f9fe42e3d54f6bc0ad47a Mon Sep 17 00:00:00 2001
From: Joshua Anderson <joshua@deis.com>
Date: Wed, 3 Aug 2016 10:23:15 -0700
Subject: [PATCH] fix(passwd): raise 400 when password is not a parameter

---
 rootfs/api/tests/test_auth.py | 12 +++++++++++-
 rootfs/api/views.py           |  7 ++++++-
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/rootfs/api/tests/test_auth.py b/rootfs/api/tests/test_auth.py
index 3d40df9f7..7b55c354d 100644
--- a/rootfs/api/tests/test_auth.py
+++ b/rootfs/api/tests/test_auth.py
@@ -258,10 +258,20 @@ def test_passwd(self):
         url = '/v2/auth/register'
         response = self.client.post(url, submit)
         self.assertEqual(response.status_code, 201, response.data)
-        # change password
+        # change password without new password
         url = '/v2/auth/passwd'
         user = User.objects.get(username=username)
         token = Token.objects.get(user=user).key
+        response = self.client.post(url, {},
+                                    HTTP_AUTHORIZATION='token {}'.format(token))
+        self.assertEqual(response.status_code, 400, response.data)
+        self.assertEqual(response.data, {'detail': 'new_password is a required field'})
+        # change password without password field
+        response = self.client.post(url, {'new_password': 'test'},
+                                    HTTP_AUTHORIZATION='token {}'.format(token))
+        self.assertEqual(response.status_code, 400, response.data)
+        self.assertEqual(response.data, {'detail': 'password is a required field'})
+        # change password
         submit = {
             'password': 'password2',
             'new_password': password,
diff --git a/rootfs/api/views.py b/rootfs/api/views.py
index 0e0651f72..c73d57ec4 100644
--- a/rootfs/api/views.py
+++ b/rootfs/api/views.py
@@ -93,6 +93,9 @@ def destroy(self, request, **kwargs):
         return Response(status=status.HTTP_204_NO_CONTENT)
 
     def passwd(self, request, **kwargs):
+        if not request.data.get('new_password'):
+            raise DeisException("new_password is a required field")
+
         caller_obj = self.get_object()
         target_obj = self.get_object()
         if request.data.get('username'):
@@ -102,7 +105,9 @@ def passwd(self, request, **kwargs):
             else:
                 raise PermissionDenied()
 
-        if request.data.get('password') or not caller_obj.is_superuser:
+        if not caller_obj.is_superuser:
+            if not request.data.get('password'):
+                raise DeisException("password is a required field")
             if not target_obj.check_password(request.data['password']):
                 raise AuthenticationFailed('Current password does not match')