Skip to content
This repository was archived by the owner on May 6, 2020. It is now read-only.

fix(passwd): raise 400 when password is not a parameter #850

Merged
Joshua-Anderson merged 1 commit into from
Aug 8, 2016
Merged

fix(passwd): raise 400 when password is not a parameter #850

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 11 additions & 1 deletion rootfs/api/tests/test_auth.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -258,10 +258,20 @@ def test_passwd(self):
url = '/v2/auth/register'
response = self.client.post(url, submit)
self.assertEqual(response.status_code, 201, response.data)
# change password
# change password without new password
url = '/v2/auth/passwd'
user = User.objects.get(username=username)
token = Token.objects.get(user=user).key
response = self.client.post(url, {},
HTTP_AUTHORIZATION='token {}'.format(token))
self.assertEqual(response.status_code, 400, response.data)
self.assertEqual(response.data, {'detail': 'new_password is a required field'})
# change password without password field
response = self.client.post(url, {'new_password': 'test'},
HTTP_AUTHORIZATION='token {}'.format(token))
self.assertEqual(response.status_code, 400, response.data)
self.assertEqual(response.data, {'detail': 'password is a required field'})
# change password
submit = {
'password': 'password2',
'new_password': password,
Expand Down
7 changes: 6 additions & 1 deletion rootfs/api/views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,9 @@ def destroy(self, request, **kwargs):
return Response(status=status.HTTP_204_NO_CONTENT)

def passwd(self, request, **kwargs):
if not request.data.get('new_password'):
raise DeisException("new_password is a required field")

caller_obj = self.get_object()
target_obj = self.get_object()
if request.data.get('username'):
Expand All @@ -102,7 +105,9 @@ def passwd(self, request, **kwargs):
else:
raise PermissionDenied()

if request.data.get('password') or not caller_obj.is_superuser:
if not caller_obj.is_superuser:
if not request.data.get('password'):
raise DeisException("password is a required field")
if not target_obj.check_password(request.data['password']):
raise AuthenticationFailed('Current password does not match')

Expand Down