diff --git a/rhodecode/apps/login/tests/test_login.py b/rhodecode/apps/login/tests/test_login.py --- a/rhodecode/apps/login/tests/test_login.py +++ b/rhodecode/apps/login/tests/test_login.py @@ -435,7 +435,7 @@ class TestLoginController(object): 'If such email exists, a password reset link was sent to it.') # BAD KEY - confirm_url = '{}?key={}'.format(route_path('reset_password_confirmation'), 'badkey') + confirm_url = route_path('reset_password_confirmation', params={'key': 'badkey'}) response = self.app.get(confirm_url, status=302) assert response.location.endswith(route_path('reset_password')) assert_session_flash(response, 'Given reset token is invalid') diff --git a/rhodecode/apps/login/views.py b/rhodecode/apps/login/views.py --- a/rhodecode/apps/login/views.py +++ b/rhodecode/apps/login/views.py @@ -447,16 +447,14 @@ class LoginView(BaseAppView): return self._get_template_context(c, **template_context) - @LoginRequired() - @NotAnonymous() def password_reset_confirmation(self): self.load_default_context() - if self.request.GET and self.request.GET.get('key'): + + if key := self.request.GET.get('key'): # make this take 2s, to prevent brute forcing. time.sleep(2) - token = AuthTokenModel().get_auth_token( - self.request.GET.get('key')) + token = AuthTokenModel().get_auth_token(key) # verify token is the correct role if token is None or token.role != UserApiKeys.ROLE_PASSWORD_RESET: diff --git a/rhodecode/tests/routes.py b/rhodecode/tests/routes.py --- a/rhodecode/tests/routes.py +++ b/rhodecode/tests/routes.py @@ -106,6 +106,7 @@ def get_url_defs(): + "/gists/{gist_id}/rev/{revision}/{format}/{f_path}", "login": ADMIN_PREFIX + "/login", "logout": ADMIN_PREFIX + "/logout", + "setup_2fa": ADMIN_PREFIX + "/setup_2fa", "check_2fa": ADMIN_PREFIX + "/check_2fa", "register": ADMIN_PREFIX + "/register", "reset_password": ADMIN_PREFIX + "/password_reset",