update session auth hash on password change

nitely · Mar 31, 2015 · caf2d1d · caf2d1d
1 parent 6a3ccd1
commit caf2d1d
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 3 deletions.
diff --git a/spirit/views/user.py b/spirit/views/user.py
@@ -5,7 +5,7 @@
 from django.contrib.auth.decorators import login_required
 from django.shortcuts import render, redirect, get_object_or_404
 from django.core.urlresolvers import reverse
-from django.contrib.auth import get_user_model
+from django.contrib.auth import get_user_model, update_session_auth_hash
 from django.contrib.auth.views import login as login_view
 from django.contrib.auth.views import password_reset, logout
 from django.contrib.auth.forms import PasswordChangeForm
@@ -159,6 +159,7 @@ def profile_password_change(request):
 
         if form.is_valid():
             form.save()
+            update_session_auth_hash(request, form.user)
             messages.info(request, _("Your password has been changed!"))
             return redirect(reverse('spirit:profile-update'))
     else:

diff --git a/tests/tests_user.py b/tests/tests_user.py
@@ -4,10 +4,10 @@
 
 import datetime
 
-from django.test import TestCase
+from django.test import TestCase, RequestFactory
 from django.core.urlresolvers import reverse
 from django.core.cache import cache
-from django.contrib.auth import get_user_model
+from django.contrib.auth import get_user_model, HASH_SESSION_KEY
 from django.core import mail
 from django.utils.translation import ugettext as _
 from django.utils import timezone
@@ -445,6 +445,23 @@ def test_profile_password_change(self):
         response = self.client.get(reverse('spirit:profile-password-change'))
         self.assertEqual(response.status_code, 200)
 
+    def test_profile_password_change_re_login(self):
+        """
+        Changing the password should invalidate the session
+        """
+        user = utils.create_user(password="foo")
+        utils.login(self, user=user, password="foo")
+        old_hash = self.client.session[HASH_SESSION_KEY]
+
+        form_data = {'old_password': 'foo',
+                     'new_password1': 'bar',
+                     'new_password2': 'bar'}
+        response = self.client.post(reverse('spirit:profile-password-change'), form_data)
+        expected_url = reverse("spirit:profile-update")
+        self.assertRedirects(response, expected_url, status_code=302)
+
+        self.assertNotEqual(old_hash, self.client.session[HASH_SESSION_KEY])
+
     def test_registration_activation(self):
         """
         registration activation