heckyel/mediagoblin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/rodney757/auth_refactor'

Browse Source 
Conflicts:
	mediagoblin/auth/views.py
	mediagoblin/edit/forms.py
	mediagoblin/templates/mediagoblin/edit/edit_account.html
This commit is contained in:
Christopher Allan Webber 2013-09-19 16:04:23 -05:00
commit 74ae6fb0b6
29 changed files with 463 additions and 168 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
mediagoblin/auth/routing.py
View File

@ -25,9 +25,4 @@ auth_routes = [
('mediagoblin.auth.verify_email', '/verify_email/',
'mediagoblin.auth.views:verify_email'),
('mediagoblin.auth.resend_verification', '/resend_verification/',
'mediagoblin.auth.views:resend_activation'),
('mediagoblin.auth.forgot_password', '/forgot_password/',
'mediagoblin.auth.views:forgot_password'),
('mediagoblin.auth.verify_forgot_password',
'/forgot_password/verify/',
'mediagoblin.auth.views:verify_forgot_password')]
'mediagoblin.auth.views:resend_activation')]

37
mediagoblin/auth/tools.py
View File

@ -101,38 +101,6 @@ def send_verification_email(user, request, email=None,
rendered_email)
EMAIL_FP_VERIFICATION_TEMPLATE = (
u"{uri}?"
u"token={fp_verification_key}")
def send_fp_verification_email(user, request):
"""
Send the verification email to users to change their password.
Args:
- user: a user object
- request: the request
"""
fp_verification_key = get_timed_signer_url('mail_verification_token') \
.dumps(user.id)
rendered_email = render_template(
request, 'mediagoblin/auth/fp_verification_email.txt',
{'username': user.username,
'verification_url': EMAIL_FP_VERIFICATION_TEMPLATE.format(
uri=request.urlgen('mediagoblin.auth.verify_forgot_password',
qualified=True),
fp_verification_key=fp_verification_key)})
# TODO: There is no error handling in place
send_email(
mg_globals.app_config['email_sender_address'],
[user.email],
'GNU MediaGoblin - Change forgotten password!',
rendered_email)
def basic_extra_validation(register_form, *args):
users_with_username = User.query.filter_by(
username=register_form.username.data).count()
@ -196,7 +164,10 @@ def check_auth_enabled():
def no_auth_logout(request):
"""Log out the user if authentication_disabled, but don't delete the messages"""
"""
Log out the user if no authentication is enabled, but don't delete
the messages
"""
if not mg_globals.app.auth and 'user_id' in request.session:
del request.session['user_id']
request.session.save()

3
mediagoblin/auth/views.py
View File

@ -24,11 +24,8 @@ from mediagoblin.tools.response import render_to_response, redirect, render_404
from mediagoblin.tools.translate import pass_to_ugettext as _
from mediagoblin.tools.mail import email_debug_message
from mediagoblin.tools.pluginapi import hook_handle
from mediagoblin.auth import forms as auth_forms
from mediagoblin.auth.tools import (send_verification_email, register_user,
send_fp_verification_email,
check_login_simple)
from mediagoblin import auth
@allow_registration

1
mediagoblin/edit/forms.py
View File

@ -81,6 +81,7 @@ class EditAttachmentsForm(wtforms.Form):
attachment_file = wtforms.FileField(
'File')
class EditCollectionForm(wtforms.Form):
title = wtforms.TextField(
_('Title'),

2
mediagoblin/edit/routing.py
View File

@ -24,8 +24,6 @@ add_route('mediagoblin.edit.account', '/edit/account/',
'mediagoblin.edit.views:edit_account')
add_route('mediagoblin.edit.delete_account', '/edit/account/delete/',
'mediagoblin.edit.views:delete_account')
add_route('mediagoblin.edit.pass', '/edit/password/',
'mediagoblin.edit.views:change_pass')
add_route('mediagoblin.edit.verify_email', '/edit/verify_email/',
'mediagoblin.edit.views:verify_email')
add_route('mediagoblin.edit.email', '/edit/email/',

41
mediagoblin/edit/views.py
View File

@ -23,7 +23,6 @@ from werkzeug.utils import secure_filename
from mediagoblin import messages
from mediagoblin import mg_globals
from mediagoblin import auth
from mediagoblin.auth import tools as auth_tools
from mediagoblin.edit import forms
from mediagoblin.edit.lib import may_edit_media
@ -338,46 +337,6 @@ def edit_collection(request, collection):
'form': form})
@require_active_login
def change_pass(request):
# If no password authentication, no need to change your password
if 'pass_auth' not in request.template_env.globals:
return redirect(request, 'index')
form = forms.ChangePassForm(request.form)
user = request.user
if request.method == 'POST' and form.validate():
if not auth.check_password(
form.old_password.data, user.pw_hash):
form.old_password.errors.append(
_('Wrong password'))
return render_to_response(
request,
'mediagoblin/edit/change_pass.html',
{'form': form,
'user': user})
# Password matches
user.pw_hash = auth.gen_password_hash(
form.new_password.data)
user.save()
messages.add_message(
request, messages.SUCCESS,
_('Your password was changed successfully'))
return redirect(request, 'mediagoblin.edit.account')
return render_to_response(
request,
'mediagoblin/edit/change_pass.html',
{'form': form,
'user': user})
def verify_email(request):
"""
Email verification view for changing email address

31
mediagoblin/plugins/basic_auth/__init__.py
View File

@ -13,17 +13,45 @@
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from pkg_resources import resource_filename
import os
from mediagoblin.plugins.basic_auth import forms as auth_forms
from mediagoblin.plugins.basic_auth import tools as auth_tools
from mediagoblin.auth.tools import create_basic_user
from mediagoblin.db.models import User
from mediagoblin.tools import pluginapi
from sqlalchemy import or_
from mediagoblin.tools.staticdirect import PluginStatic
PLUGIN_DIR = os.path.dirname(__file__)
def setup_plugin():
config = pluginapi.get_config('mediagoblin.plugins.basic_auth')
routes = [
('mediagoblin.plugins.basic_auth.edit.pass',
'/edit/password/',
'mediagoblin.plugins.basic_auth.views:change_pass'),
('mediagoblin.plugins.basic_auth.forgot_password',
'/auth/forgot_password/',
'mediagoblin.plugins.basic_auth.views:forgot_password'),
('mediagoblin.plugins.basic_auth.verify_forgot_password',
'/auth/forgot_password/verify/',
'mediagoblin.plugins.basic_auth.views:verify_forgot_password')]
pluginapi.register_routes(routes)
pluginapi.register_template_path(os.path.join(PLUGIN_DIR, 'templates'))
pluginapi.register_template_hooks(
{'edit_link': 'mediagoblin/plugins/basic_auth/edit_link.html',
'fp_link': 'mediagoblin/plugins/basic_auth/fp_link.html',
'fp_head': 'mediagoblin/plugins/basic_auth/fp_head.html',
'create_account':
'mediagoblin/plugins/basic_auth/create_account_link.html'})
def get_user(**kwargs):
username = kwargs.pop('username', None)
@ -85,4 +113,7 @@ hooks = {
'auth_check_password': check_password,
'auth_fake_login_attempt': auth_tools.fake_login_attempt,
'template_global_context': append_to_global_context,
'static_setup': lambda: PluginStatic(
'coreplugin_basic_auth',
resource_filename('mediagoblin.plugins.basic_auth', 'static'))
}

30
mediagoblin/plugins/basic_auth/forms.py
View File

@ -44,3 +44,33 @@ class LoginForm(wtforms.Form):
stay_logged_in = wtforms.BooleanField(
label='',
description=_('Stay logged in'))
class ForgotPassForm(wtforms.Form):
username = wtforms.TextField(
_('Username or email'),
[wtforms.validators.Required(),
normalize_user_or_email_field()])
class ChangeForgotPassForm(wtforms.Form):
password = wtforms.PasswordField(
'Password',
[wtforms.validators.Required(),
wtforms.validators.Length(min=5, max=1024)])
token = wtforms.HiddenField(
'',
[wtforms.validators.Required()])
class ChangePassForm(wtforms.Form):
old_password = wtforms.PasswordField(
_('Old password'),
[wtforms.validators.Required()],
description=_(
"Enter your old password to prove you own this account."))
new_password = wtforms.PasswordField(
_('New password'),
[wtforms.validators.Required(),
wtforms.validators.Length(min=6, max=30)],
id="password")

0
mediagoblin/static/js/autofilledin_password.js → mediagoblin/plugins/basic_auth/static/js/autofilledin_password.js
View File

2
mediagoblin/templates/mediagoblin/auth/change_fp.html → mediagoblin/plugins/basic_auth/templates/mediagoblin/plugins/basic_auth/change_fp.html
View File

@ -29,7 +29,7 @@
{%- endblock %}
{% block mediagoblin_content %}
<form action="{{ request.urlgen('mediagoblin.auth.verify_forgot_password') }}"
<form action="{{ request.urlgen('mediagoblin.plugins.basic_auth.verify_forgot_password') }}"
method="POST" enctype="multipart/form-data">
{{ csrf_token }}
<div class="form_box">

2
mediagoblin/templates/mediagoblin/edit/change_pass.html → mediagoblin/plugins/basic_auth/templates/mediagoblin/plugins/basic_auth/change_pass.html
View File

@ -31,7 +31,7 @@
{%- endblock %}
{% block mediagoblin_content %}
<form action="{{ request.urlgen('mediagoblin.edit.pass') }}"
<form action="{{ request.urlgen('mediagoblin.plugins.basic_auth.edit.pass') }}"
method="POST" enctype="multipart/form-data">
<div class="form_box edit_box">
<h1>

27
mediagoblin/plugins/basic_auth/templates/mediagoblin/plugins/basic_auth/create_account_link.html Normal file
View File

@ -0,0 +1,27 @@
{#
# GNU MediaGoblin -- federated, autonomous media hosting
# Copyright (C) 2011, 2012 MediaGoblin contributors. See AUTHORS.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#}
{% block create_account %}
{% if allow_registration %}
<p>
{% trans %}Don't have an account yet?{% endtrans %}
<a href="{{ request.urlgen('mediagoblin.auth.register') }}">
{%- trans %}Create one here!{% endtrans %}</a>
</p>
{% endif %}
{% endblock %}

25
mediagoblin/plugins/basic_auth/templates/mediagoblin/plugins/basic_auth/edit_link.html Normal file
View File

@ -0,0 +1,25 @@
{#
# GNU MediaGoblin -- federated, autonomous media hosting
# Copyright (C) 2011, 2012 MediaGoblin contributors. See AUTHORS.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#}
{% block change_pass_link %}
<p>
<a href="{{ request.urlgen('mediagoblin.plugins.basic_auth.edit.pass') }}">
{% trans %}Change your password.{% endtrans %}
</a>
</p>
{% endblock %}

2
mediagoblin/templates/mediagoblin/auth/forgot_password.html → mediagoblin/plugins/basic_auth/templates/mediagoblin/plugins/basic_auth/forgot_password.html
View File

@ -24,7 +24,7 @@
{%- endblock %}
{% block mediagoblin_content %}
<form action="{{ request.urlgen('mediagoblin.auth.forgot_password') }}"
<form action="{{ request.urlgen('mediagoblin.plugins.basic_auth.forgot_password') }}"
method="POST" enctype="multipart/form-data">
{{ csrf_token }}
<div class="form_box">

20
mediagoblin/plugins/basic_auth/templates/mediagoblin/plugins/basic_auth/fp_head.html Normal file
View File

@ -0,0 +1,20 @@
{#
# GNU MediaGoblin -- federated, autonomous media hosting
# Copyright (C) 2011, 2012 MediaGoblin contributors. See AUTHORS.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#}
<script type="text/javascript"
src="{{ request.staticdirect('/js/autofilledin_password.js', 'coreplugin_basic_auth') }}"></script>

28
mediagoblin/auth/forms.py → mediagoblin/plugins/basic_auth/templates/mediagoblin/plugins/basic_auth/fp_link.html
View File

@ -1,3 +1,4 @@
{#
# GNU MediaGoblin -- federated, autonomous media hosting
# Copyright (C) 2011, 2012 MediaGoblin contributors. See AUTHORS.
#
@ -13,25 +14,12 @@
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#}
import wtforms
{% block fp_link %}
<p>
<a href="{{ request.urlgen('mediagoblin.plugins.basic_auth.forgot_password') }}" id="forgot_password">
{% trans %}Forgot your password?{% endtrans %}</a>
</p>
{% endblock %}
from mediagoblin.tools.translate import lazy_pass_to_ugettext as _
from mediagoblin.auth.tools import normalize_user_or_email_field
class ForgotPassForm(wtforms.Form):
username = wtforms.TextField(
_('Username or email'),
[wtforms.validators.Required(),
normalize_user_or_email_field()])
class ChangePassForm(wtforms.Form):
password = wtforms.PasswordField(
'Password',
[wtforms.validators.Required(),
wtforms.validators.Length(min=5, max=1024)])
token = wtforms.HiddenField(
'',
[wtforms.validators.Required()])

0
mediagoblin/templates/mediagoblin/auth/fp_verification_email.txt → mediagoblin/plugins/basic_auth/templates/mediagoblin/plugins/basic_auth/fp_verification_email.txt
View File

37
mediagoblin/plugins/basic_auth/tools.py
View File

@ -16,6 +16,11 @@
import bcrypt
import random
from mediagoblin import mg_globals
from mediagoblin.tools.crypto import get_timed_signer_url
from mediagoblin.tools.mail import send_email
from mediagoblin.tools.template import render_template
def bcrypt_check_password(raw_pass, stored_hash, extra_salt=None):
"""
@ -82,3 +87,35 @@ def fake_login_attempt():
randplus_hashed_pass = bcrypt.hashpw(hashed_pass, rand_salt)
randplus_stored_hash == randplus_hashed_pass
EMAIL_FP_VERIFICATION_TEMPLATE = (
u"{uri}?"
u"token={fp_verification_key}")
def send_fp_verification_email(user, request):
"""
Send the verification email to users to change their password.
Args:
- user: a user object
- request: the request
"""
fp_verification_key = get_timed_signer_url('mail_verification_token') \
.dumps(user.id)
rendered_email = render_template(
request, 'mediagoblin/plugins/basic_auth/fp_verification_email.txt',
{'username': user.username,
'verification_url': EMAIL_FP_VERIFICATION_TEMPLATE.format(
uri=request.urlgen('mediagoblin.plugins.basic_auth.verify_forgot_password',
qualified=True),
fp_verification_key=fp_verification_key)})
# TODO: There is no error handling in place
send_email(
mg_globals.app_config['email_sender_address'],
[user.email],
'GNU MediaGoblin - Change forgotten password!',
rendered_email)

217
mediagoblin/plugins/basic_auth/views.py Normal file
View File

@ -0,0 +1,217 @@
# GNU MediaGoblin -- federated, autonomous media hosting
# Copyright (C) 2011, 2012 MediaGoblin contributors. See AUTHORS.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from itsdangerous import BadSignature
from mediagoblin import messages
from mediagoblin.db.models import User
from mediagoblin.decorators import require_active_login
from mediagoblin.plugins.basic_auth import forms, tools
from mediagoblin.tools.crypto import get_timed_signer_url
from mediagoblin.tools.mail import email_debug_message
from mediagoblin.tools.response import redirect, render_to_response, render_404
from mediagoblin.tools.translate import pass_to_ugettext as _
def forgot_password(request):
"""
Forgot password view
Sends an email with an url to renew forgotten password.
Use GET querystring parameter 'username' to pre-populate the input field
"""
fp_form = forms.ForgotPassForm(request.form,
username=request.args.get('username'))
if not (request.method == 'POST' and fp_form.validate()):
# Either GET request, or invalid form submitted. Display the template
return render_to_response(request,
'mediagoblin/plugins/basic_auth/forgot_password.html',
{'fp_form': fp_form})
# If we are here: method == POST and form is valid. username casing
# has been sanitized. Store if a user was found by email. We should
# not reveal if the operation was successful then as we don't want to
# leak if an email address exists in the system.
found_by_email = '@' in fp_form.username.data
if found_by_email:
user = User.query.filter_by(
email=fp_form.username.data).first()
# Don't reveal success in case the lookup happened by email address.
success_message = _("If that email address (case sensitive!) is "
"registered an email has been sent with "
"instructions on how to change your password.")
else: # found by username
user = User.query.filter_by(
username=fp_form.username.data).first()
if user is None:
messages.add_message(request,
messages.WARNING,
_("Couldn't find someone with that username."))
return redirect(request, 'mediagoblin.auth.forgot_password')
success_message = _("An email has been sent with instructions "
"on how to change your password.")
if user and not(user.email_verified and user.status == 'active'):
# Don't send reminder because user is inactive or has no verified email
messages.add_message(request,
messages.WARNING,
_("Could not send password recovery email as your username is in"
"active or your account's email address has not been verified."))
return redirect(request, 'mediagoblin.user_pages.user_home',
user=user.username)
# SUCCESS. Send reminder and return to login page
if user:
email_debug_message(request)
tools.send_fp_verification_email(user, request)
messages.add_message(request, messages.INFO, success_message)
return redirect(request, 'mediagoblin.auth.login')
def verify_forgot_password(request):
"""
Check the forgot-password verification and possibly let the user
change their password because of it.
"""
# get form data variables, and specifically check for presence of token
formdata = _process_for_token(request)
if not formdata['has_token']:
return render_404(request)
formdata_vars = formdata['vars']
# Catch error if token is faked or expired
try:
token = get_timed_signer_url("mail_verification_token") \
.loads(formdata_vars['token'], max_age=10*24*3600)
except BadSignature:
messages.add_message(
request,
messages.ERROR,
_('The verification key or user id is incorrect.'))
return redirect(
request,
'index')
# check if it's a valid user id
user = User.query.filter_by(id=int(token)).first()
# no user in db
if not user:
messages.add_message(
request, messages.ERROR,
_('The user id is incorrect.'))
return redirect(
request, 'index')
# check if user active and has email verified
if user.email_verified and user.status == 'active':
cp_form = forms.ChangeForgotPassForm(formdata_vars)
if request.method == 'POST' and cp_form.validate():
user.pw_hash = tools.bcrypt_gen_password_hash(
cp_form.password.data)
user.save()
messages.add_message(
request,
messages.INFO,
_("You can now log in using your new password."))
return redirect(request, 'mediagoblin.auth.login')
else:
return render_to_response(
request,
'mediagoblin/plugins/basic_auth/change_fp.html',
{'cp_form': cp_form})
if not user.email_verified:
messages.add_message(
request, messages.ERROR,
_('You need to verify your email before you can reset your'
' password.'))
if not user.status == 'active':
messages.add_message(
request, messages.ERROR,
_('You are no longer an active user. Please contact the system'
' admin to reactivate your accoutn.'))
return redirect(
request, 'index')
def _process_for_token(request):
"""
Checks for tokens in formdata without prior knowledge of request method
For now, returns whether the userid and token formdata variables exist, and
the formdata variables in a hash. Perhaps an object is warranted?
"""
# retrieve the formdata variables
if request.method == 'GET':
formdata_vars = request.GET
else:
formdata_vars = request.form
formdata = {
'vars': formdata_vars,
'has_token': 'token' in formdata_vars}
return formdata
@require_active_login
def change_pass(request):
form = forms.ChangePassForm(request.form)
user = request.user
if request.method == 'POST' and form.validate():
if not tools.bcrypt_check_password(
form.old_password.data, user.pw_hash):
form.old_password.errors.append(
_('Wrong password'))
return render_to_response(
request,
'mediagoblin/plugins/basic_auth/change_pass.html',
{'form': form,
'user': user})
# Password matches
user.pw_hash = tools.bcrypt_gen_password_hash(
form.new_password.data)
user.save()
messages.add_message(
request, messages.SUCCESS,
_('Your password was changed successfully'))
return redirect(request, 'mediagoblin.edit.account')
return render_to_response(
request,
'mediagoblin/plugins/basic_auth/change_pass.html',
{'form': form,
'user': user})

4
mediagoblin/plugins/openid/templates/mediagoblin/plugins/openid/login.html
View File

@ -20,8 +20,8 @@
{% import "/mediagoblin/utils/wtforms.html" as wtforms_util %}
{% block mediagoblin_head %}
<script type="text/javascript"
src="{{ request.staticdirect('/js/autofilledin_password.js') }}"></script>
{{ super() }}
{% template_hook("fp_head") %}
{% endblock %}
{% block title -%}

4
mediagoblin/plugins/openid/views.py
View File

@ -195,11 +195,11 @@ def finish_login(request):
return redirect(request, "index")
else:
# No user, need to register
if not mg_globals.app.auth:
if not mg_globals.app_config['allow_registration']:
messages.add_message(
request,
messages.WARNING,
_('Sorry, authentication is disabled on this instance.'))
_('Sorry, registration is disabled on this instance.'))
return redirect(request, 'index')
# Get email and nickname from response

19
mediagoblin/templates/mediagoblin/auth/login.html
View File

@ -20,8 +20,8 @@
{% import "/mediagoblin/utils/wtforms.html" as wtforms_util %}
{% block mediagoblin_head %}
<script type="text/javascript"
src="{{ request.staticdirect('/js/autofilledin_password.js') }}"></script>
{{ super() }}
{% template_hook("fp_head") %}
{% endblock %}
{% block title -%}
@ -39,21 +39,10 @@
{% trans %}Logging in failed!{% endtrans %}
</div>
{% endif %}
{% if allow_registration %}
<p>
{% trans %}Don't have an account yet?{% endtrans %}
<a href="{{ request.urlgen('mediagoblin.auth.register') }}">
{%- trans %}Create one here!{% endtrans %}</a>
</p>
{% endif %}
{% template_hook("create_account") %}
{% template_hook("login_link") %}
{{ wtforms_util.render_divs(login_form, True) }}
{% if pass_auth %}
<p>
<a href="{{ request.urlgen('mediagoblin.auth.forgot_password') }}" id="forgot_password">
{% trans %}Forgot your password?{% endtrans %}</a>
</p>
{% endif %}
{% template_hook("fp_link") %}
<div class="form_submit_buttons">
<input type="submit" value="{% trans %}Log in{% endtrans %}" class="button_form"/>
</div>

1
mediagoblin/templates/mediagoblin/edit/edit_account.html
View File

@ -41,6 +41,7 @@
Changing {{ username }}'s account settings
{%- endtrans -%}
</h1>
{% template_hook("edit_link") %}
{{ wtforms_util.render_divs(form, True) }}
<div class="form_submit_buttons">
<input type="submit" value="{% trans %}Save changes{% endtrans %}" class="button_form" />

4
mediagoblin/tests/auth_configs/authentication_disabled_appconfig.ini
View File

@ -3,8 +3,8 @@ direct_remote_path = /test_static/
email_sender_address = "notice@mediagoblin.example.org"
email_debug_mode = true
# TODO: Switch to using an in-memory database
sql_engine = "sqlite:///%(here)s/user_dev/mediagoblin.db"
sql_engine = "sqlite://"
run_migrations = true
# Celery shouldn't be set up by the application as it's setup via
# mediagoblin.init.celery.from_celery

4
mediagoblin/tests/auth_configs/openid_appconfig.ini
View File

@ -18,8 +18,8 @@ direct_remote_path = /test_static/
email_sender_address = "notice@mediagoblin.example.org"
email_debug_mode = true
# TODO: Switch to using an in-memory database
sql_engine = "sqlite:///%(here)s/user_dev/mediagoblin.db"
sql_engine = "sqlite://"
run_migrations = true
# Celery shouldn't be set up by the application as it's setup via
# mediagoblin.init.celery.from_celery

5
mediagoblin/tests/test_auth.py
View File

@ -183,7 +183,7 @@ def test_register_views(test_app):
message = mail.EMAIL_TEST_INBOX.pop()
assert message['To'] == 'happygrrl@example.org'
email_context = template.TEMPLATE_TEST_CONTEXT[
'mediagoblin/auth/fp_verification_email.txt']
'mediagoblin/plugins/basic_auth/fp_verification_email.txt']
#TODO - change the name of verification_url to something forgot-password-ish
assert email_context['verification_url'] in message.get_payload(decode=True)
@ -204,7 +204,8 @@ def test_register_views(test_app):
## Verify step 1 of password-change works -- can see form to change password
template.clear_test_template_context()
response = test_app.get("%s?%s" % (path, get_params))
assert 'mediagoblin/auth/change_fp.html' in template.TEMPLATE_TEST_CONTEXT
assert 'mediagoblin/plugins/basic_auth/change_fp.html' in \
template.TEMPLATE_TEST_CONTEXT
## Verify step 2.1 of password-change works -- report success to user
template.clear_test_template_context()

42
mediagoblin/tests/test_basic_auth.py
View File

@ -13,7 +13,12 @@
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import urlparse
from mediagoblin.db.models import User
from mediagoblin.plugins.basic_auth import tools as auth_tools
from mediagoblin.tests.tools import fixture_add_user
from mediagoblin.tools import template
from mediagoblin.tools.testing import _activate_testing
_activate_testing()
@ -57,3 +62,40 @@ def test_bcrypt_gen_password_hash():
pw, hashed_pw, '3><7R45417')
assert not auth_tools.bcrypt_check_password(
'notthepassword', hashed_pw, '3><7R45417')
def test_change_password(test_app):
"""Test changing password correctly and incorrectly"""
test_user = fixture_add_user(password=u'toast')
test_app.post(
'/auth/login/', {
'username': u'chris',
'password': u'toast'})
# test that the password can be changed
res = test_app.post(
'/edit/password/', {
'old_password': 'toast',
'new_password': '123456',
})
res.follow()
# Did we redirect to the correct page?
assert urlparse.urlsplit(res.location)[2] == '/edit/account/'
# test_user has to be fetched again in order to have the current values
test_user = User.query.filter_by(username=u'chris').first()
assert auth_tools.bcrypt_check_password('123456', test_user.pw_hash)
# test that the password cannot be changed if the given
# old_password is wrong
template.clear_test_template_context()
test_app.post(
'/edit/password/', {
'old_password': 'toast',
'new_password': '098765',
})
test_user = User.query.filter_by(username=u'chris').first()
assert not auth_tools.bcrypt_check_password('098765', test_user.pw_hash)

35
mediagoblin/tests/test_edit.py
View File

@ -56,41 +56,6 @@ class TestUserEdit(object):
self.login(test_app)
def test_change_password(self, test_app):
"""Test changing password correctly and incorrectly"""
self.login(test_app)
# test that the password can be changed
template.clear_test_template_context()
res = test_app.post(
'/edit/password/', {
'old_password': 'toast',
'new_password': '123456',
})
res.follow()
# Did we redirect to the correct page?
assert urlparse.urlsplit(res.location)[2] == '/edit/account/'
# test_user has to be fetched again in order to have the current values
test_user = User.query.filter_by(username=u'chris').first()
assert auth.check_password('123456', test_user.pw_hash)
# Update current user passwd
self.user_password = '123456'
# test that the password cannot be changed if the given
# old_password is wrong
template.clear_test_template_context()
test_app.post(
'/edit/password/', {
'old_password': 'toast',
'new_password': '098765',
})
test_user = User.query.filter_by(username=u'chris').first()
assert not auth.check_password('098765', test_user.pw_hash)
def test_change_bio_url(self, test_app):
"""Test changing bio and URL"""
self.login(test_app)

1
mediagoblin/tests/test_openid.py
View File

@ -29,6 +29,7 @@ from mediagoblin.plugins.openid.models import OpenIDUserURL
from mediagoblin.tests.tools import get_app, fixture_add_user
from mediagoblin.tools import template
# App with plugin enabled
@pytest.fixture()
def openid_plugin_app(request):