Get username from auth not from form

When editing a user's profile or disabling a user, use the user from request.authenticated_userid not the username submitted in the form. Remove username from the schema so the form submission doesn't need to contain it. The change email form was getting a validation error back from the server because it didn't submit the username in the form - now it doesn't need to. Fixes #2441.
hypothesis · Aug 19, 2015 · 972b4bc · 972b4bc
1 parent 58ded83
commit 972b4bc
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 10 deletions.
diff --git a/h/accounts/schemas.py b/h/accounts/schemas.py
@@ -193,8 +193,6 @@ class ProfileSchema(CSRFSchema):
     This form is broken into multiple parts, for updating the email address,
     password, and subscriptions, so multiple fields are nullable.
     """
-
-    username = colander.SchemaNode(colander.String())
     pwd = colander.SchemaNode(
         colander.String(),
         widget=deform.widget.PasswordWidget(),

diff --git a/h/accounts/test/views_test.py b/h/accounts/test/views_test.py
@@ -945,8 +945,8 @@ def test_disable_user_with_invalid_password(form_validator, user_model):
     request = DummyRequest(method='POST')
     form_validator.return_value = (None, {"username": "john", "pwd": "doe"})
 
-    # With an invalid password, get_user returns None
-    user_model.get_user.return_value = None
+    # With an invalid password, validate_user() returns False.
+    user_model.validate_user.return_value = False
 
     profile = ProfileController(request)
     result = profile.disable_user()
@@ -962,7 +962,7 @@ def test_disable_user_sets_random_password(form_validator, user_model):
     form_validator.return_value = (None, {"username": "john", "pwd": "doe"})
 
     user = FakeUser(password='abc')
-    user_model.get_user.return_value = user
+    user_model.get_by_userid.return_value = user
 
     profile = ProfileController(request)
     profile.disable_user()

diff --git a/h/accounts/views.py b/h/accounts/views.py
@@ -467,12 +467,10 @@ def disable_user(self):
         if err is not None:
             return err
 
-        username = appstruct['username']
-        pwd = appstruct['pwd']
+        user = User.get_by_userid(
+            self.request.domain, self.request.authenticated_userid)
 
-        # Password check
-        user = User.get_user(username, pwd)
-        if user:
+        if User.validate_user(user, appstruct['pwd']):  # Password check.
             # TODO: maybe have an explicit disabled flag in the status
             user.password = User.generate_random_password()
             self.request.session.flash(_('Account disabled.'), 'success')