rhodecode-enterprise-ce Commit - r2592:0e0508de

my-account: security change, added select filed with email from extra emails while editing user profile, now adding extra emails required type password. Task

Bartłomiej Wołyńczyk -

r2592:0e0508de default

parent child

Collapse all files

rhodecode/apps/my_account/tests/test_my_account_edit.py

0 +12 -11

                         # ('extern_name', {'extern_name': None}),
                         ('active', {'active': False}),
                         ('active', {'active': True}),
-                        ('email', {'email': 'some@email.com'}),
+                        ('email', {'email': u'some@email.com'}),
                     ])
                 def test_my_account_update(self, name, attrs, user_util):
                     usr = user_util.create_user(password='qweqwe')
                     params.update({'password_confirmation': ''})
                     params.update({'new_password': ''})
-                    params.update({'extern_type': 'rhodecode'})
+                    params.update({'extern_type': u'rhodecode'})
-                    params.update({'extern_name': 'rhodecode'})
+                    params.update({'extern_name': u'rhodecode'})
                     params.update({'csrf_token': self.csrf_token})
                     params.update(attrs)
                     # my account page cannot set language param yet, only for admins
                     del params['language']
+                    if name == 'email':
+                        uem = user_util.create_additional_user_email(usr, attrs['email'])
+                        email_before = User.get(user_id).email
                     response = self.app.post(route_path('my_account_update'), params)
                     assert_session_flash(
                     params['language'] = updated_params['language']
                     if name == 'email':
-                        params['emails'] = [attrs['email']]
+                        params['emails'] = [attrs['email'], email_before]
                     if name == 'extern_type':
                         # cannot update this via form, expected value is original one
                         params['extern_type'] = "rhodecode"
                     assert params == updated_params
-                def test_my_account_update_err_email_exists(self):
+                def test_my_account_update_err_email_not_exists_in_emails(self):
                     self.log_user()
-                    new_email = 'test_regular@mail.com'  # already existing email
+                    new_email = 'test_regular@mail.com'  # not in emails
                     params = {
                         'username': 'test_admin',
                         'new_password': 'test12',
                     response = self.app.post(route_path('my_account_update'),
                                              params=params)
-                    response.mustcontain('This e-mail address is already taken')
+                    response.mustcontain('"test_regular@mail.com" is not one of test_admin@mail.com')
                 def test_my_account_update_bad_email_address(self):
                     self.log_user('test_regular2', 'test12')
                     response = self.app.post(route_path('my_account_update'),
                                              params=params)
-                    response.mustcontain('An email address must contain a single @')
+                    response.mustcontain('"newmail.pl" is not one of test_regular2@mail.com')
-                    msg = u'Username "%(username)s" already exists'
-                    msg = h.html_escape(msg % {'username': 'test_admin'})
-                    response.mustcontain(u"%s" % msg)

rhodecode/apps/my_account/tests/test_my_account_emails.py

0 +3 -19

             from rhodecode.model.db import User, UserEmailMap
             from rhodecode.tests import (
                 TestController, TEST_USER_ADMIN_LOGIN, TEST_USER_REGULAR_EMAIL,
-                assert_session_flash)
+                assert_session_flash, TEST_USER_REGULAR_PASS)
             from rhodecode.tests.fixture import Fixture
             fixture = Fixture()
                     response = self.app.get(route_path('my_account_emails'))
                     response.mustcontain('No additional emails specified')
-                def test_my_account_my_emails_add_existing_email(self):
-                    self.log_user()
-                    response = self.app.get(route_path('my_account_emails'))
-                    response.mustcontain('No additional emails specified')
-                    response = self.app.post(route_path('my_account_emails_add'),
-                                             {'new_email': TEST_USER_REGULAR_EMAIL,
-                                              'csrf_token': self.csrf_token})
-                    assert_session_flash(response, 'This e-mail address is already taken')
-                def test_my_account_my_emails_add_mising_email_in_form(self):
-                    self.log_user()
-                    response = self.app.get(route_path('my_account_emails'))
-                    response.mustcontain('No additional emails specified')
-                    response = self.app.post(route_path('my_account_emails_add'),
-                                             {'csrf_token': self.csrf_token})
-                    assert_session_flash(response, 'Please enter an email address')
                 def test_my_account_my_emails_add_remove(self):
                     self.log_user()
                     response = self.app.get(route_path('my_account_emails'))
                     response.mustcontain('No additional emails specified')
                     response = self.app.post(route_path('my_account_emails_add'),
-                                             {'new_email': 'foo@barz.com',
+                                             {'email': 'foo@barz.com',
+                                              'current_password': TEST_USER_REGULAR_PASS,
                                               'csrf_token': self.csrf_token})
                     response = self.app.get(route_path('my_account_emails'))

rhodecode/apps/my_account/views/my_account.py

0 +66 -61

@@ -232,40 +232,59 b' class MyAccountView(BaseAppView, DataGri'
232		232
233	c.user_email_map = UserEmailMap.query()\	233	c.user_email_map = UserEmailMap.query()\
234	.filter(UserEmailMap.user == c.user).all()	234	.filter(UserEmailMap.user == c.user).all()
		235
		236	schema = user_schema.AddEmailSchema().bind(
		237	username=c.user.username, user_emails=c.user.emails)
		238
		239	form = forms.RcForm(schema,
		240	action=h.route_path('my_account_emails_add'),
		241	buttons=(forms.buttons.save, forms.buttons.reset))
		242
		243	c.form = form
235	return self._get_template_context(c)	244	return self._get_template_context(c)
236		245
237	@LoginRequired()	246	@LoginRequired()
238	@NotAnonymous()	247	@NotAnonymous()
239	@CSRFRequired()	248	@CSRFRequired()
240	@view_config(	249	@view_config(
241	route_name='my_account_emails_add', request_method='POST')	250	route_name='my_account_emails_add', request_method='POST',
		251	renderer='rhodecode:templates/admin/my_account/my_account.mako')
242	def my_account_emails_add(self):	252	def my_account_emails_add(self):
243	_ = self.request.translate	253	_ = self.request.translate
244	c = self.load_default_context()	254	c = self.load_default_context()
		255	c.active = 'emails'
245		256
246	email = self.request.POST.get('new_email')	257	schema = user_schema.AddEmailSchema().bind(
		258	username=c.user.username, user_emails=c.user.emails)
247		259
		260	form = forms.RcForm(
		261	schema, action=h.route_path('my_account_emails_add'),
		262	buttons=(forms.buttons.save, forms.buttons.reset))
		263
		264	controls = self.request.POST.items()
248	try:	265	try:
249	form = UserExtraEmailForm(self.request.translate)()	266	valid_data = form.validate(controls)
250	data = form.to_python({'email': email})	267	UserModel().add_extra_email(c.user.user_id, valid_data['email'])
251	email = data['email']
252
253	UserModel().add_extra_email(c.user.user_id, email)
254	audit_logger.store_web(	268	audit_logger.store_web(
255	'user.edit.email.add', action_data={	269	'user.edit.email.add', action_data={
256	'data': {'email': email, 'user': 'self'}},	270	'data': {'email': valid_data['email'], 'user': 'self'}},
257	user=self._rhodecode_user,)	271	user=self._rhodecode_user,)
258
259	Session().commit()	272	Session().commit()
260	h.flash(_("Added new email address `%s` for user account") % email,
261	category='success')
262	except formencode.Invalid as error:	273	except formencode.Invalid as error:
263	h.flash(h.escape(error.error_dict['email']), category='error')	274	h.flash(h.escape(error.error_dict['email']), category='error')
		275	except forms.ValidationFailure as e:
		276	c.user_email_map = UserEmailMap.query() \
		277	.filter(UserEmailMap.user == c.user).all()
		278	c.form = e
		279	return self._get_template_context(c)
264	except Exception:	280	except Exception:
265	log.exception("Exception in ~~my_account_~~emails")	281	log.exception("Exception adding email")
266	h.flash(_('~~An e~~rror occurred during ~~email saving~~'),	282	h.flash(_('Error occurred during adding email'),
267	category='error')	283	category='error')
268	return HTTPFound(h.route_path('my_account_emails'))	284	else:
		285	h.flash(_("Successfully added email"), category='success')
		286
		287	raise HTTPFound(self.request.route_path('my_account_emails'))
269		288
270	@LoginRequired()	289	@LoginRequired()
271	@NotAnonymous()	290	@NotAnonymous()
@@ -414,22 +433,23 b' class MyAccountView(BaseAppView, DataGri'
414	def my_account_edit(self):	433	def my_account_edit(self):
415	c = self.load_default_context()	434	c = self.load_default_context()
416	c.active = 'profile_edit'	435	c.active = 'profile_edit'
417
418	c.perm_user = c.auth_user
419	c.extern_type = c.user.extern_type	436	c.extern_type = c.user.extern_type
420	c.extern_name = c.user.extern_name	437	c.extern_name = c.user.extern_name
421		438
422	defaults = c.user.get_dict()	439	schema = user_schema.UserProfileSchema().bind(
		440	username=c.user.username, user_emails=c.user.emails)
		441	appstruct = {
		442	'username': c.user.username,
		443	'email': c.user.email,
		444	'firstname': c.user.firstname,
		445	'lastname': c.user.lastname,
		446	}
		447	c.form = forms.RcForm(
		448	schema, appstruct=appstruct,
		449	action=h.route_path('my_account_update'),
		450	buttons=(forms.buttons.save, forms.buttons.reset))
423		451
424	data = render('rhodecode:templates/admin/my_account/my_account.mako',	452	return self._get_template_context(c)
425	self._get_template_context(c), self.request)
426	html = formencode.htmlfill.render(
427	data,
428	defaults=defaults,
429	encoding="UTF-8",
430	force_defaults=False
431	)
432	return Response(html)
433		453
434	@LoginRequired()	454	@LoginRequired()
435	@NotAnonymous()	455	@NotAnonymous()
@@ -442,55 +462,40 b' class MyAccountView(BaseAppView, DataGri'
442	_ = self.request.translate	462	_ = self.request.translate
443	c = self.load_default_context()	463	c = self.load_default_context()
444	c.active = 'profile_edit'	464	c.active = 'profile_edit'
445
446	c.perm_user = c.auth_user	465	c.perm_user = c.auth_user
447	c.extern_type = c.user.extern_type	466	c.extern_type = c.user.extern_type
448	c.extern_name = c.user.extern_name	467	c.extern_name = c.user.extern_name
449		468
450	_form = UserForm(self.request.translate, edit=True,	469	schema = user_schema.UserProfileSchema().bind(
451	old_data={'user_id': self._rhodecode_user.user_id,	470	username=c.user.username, user_emails=c.user.emails)
452	'email': self._rhodecode_user.email})()	471	form = forms.RcForm(
453	form_result = {}	472	schema, buttons=(forms.buttons.save, forms.buttons.reset))
		473
		474	controls = self.request.POST.items()
454	try:	475	try:
455	post_data = dict(self.request.POST)	476	valid_data = form.validate(controls)
456	post_data['new_password'] = ''
457	post_data['password_confirmation'] = ''
458	form_result = _form.to_python(post_data)
459	# skip updating those attrs for my account
460	skip_attrs = ['admin', 'active', 'extern_type', 'extern_name',	477	skip_attrs = ['admin', 'active', 'extern_type', 'extern_name',
461	'new_password', 'password_confirmation']	478	'new_password', 'password_confirmation']
462	# TODO: plugin should define if username can be updated
463	if c.extern_type != "rhodecode":	479	if c.extern_type != "rhodecode":
464	# forbid updating username for external accounts	480	# forbid updating username for external accounts
465	skip_attrs.append('username')	481	skip_attrs.append('username')
466		482	old_email = c.user.email
467	UserModel().update_user(	483	UserModel().update_user(
468	self._rhodecode_user.user_id, skip_attrs=skip_attrs,	484	self._rhodecode_user.user_id, skip_attrs=skip_attrs,
469	**~~form_result~~)	485	**valid_data)
470	h.flash(_('Your account was updated successfully'),	486	if old_email != valid_data['email']:
471	category='success')	487	old = UserEmailMap.query() \
		488	.filter(UserEmailMap.user == c.user).filter(UserEmailMap.email == valid_data['email']).first()
		489	old.email = old_email
		490	h.flash(_('Your account was updated successfully'), category='success')
472	Session().commit()	491	Session().commit()
473		492	except forms.ValidationFailure as e:
474	except formencode.Invalid as errors:	493	c.form = e
475	data = render(	494	return self._get_template_context(c)
476	'rhodecode:templates/admin/my_account/my_account.mako',
477	self._get_template_context(c), self.request)
478
479	html = formencode.htmlfill.render(
480	data,
481	defaults=errors.value,
482	errors=errors.error_dict or {},
483	prefix_error=False,
484	encoding="UTF-8",
485	force_defaults=False)
486	return Response(html)
487
488	except Exception:	495	except Exception:
489	log.exception("Exception updating user")	496	log.exception("Exception updating user")
490	h.flash(_('Error occurred during update of user %s')	497	h.flash(_('Error occurred during update of user'),
491	% ~~form_result~~.~~get~~(~~'username'~~), category='error')	498	category='error')
492	raise HTTPFound(h.route_path('my_account_profile'))
493
494	raise HTTPFound(h.route_path('my_account_profile'))	499	raise HTTPFound(h.route_path('my_account_profile'))
495		500
496	def _get_pull_requests_list(self, statuses):	501	def _get_pull_requests_list(self, statuses):

rhodecode/model/validation_schema/schemas/user_schema.py

0 +64 -1

@@ -22,10 +22,11 b' import re'
22	import colander	22	import colander
23		23
24	from rhodecode import forms	24	from rhodecode import forms
25	from rhodecode.model.db import User	25	from rhodecode.model.db import User, UserEmailMap
26	from rhodecode.model.validation_schema import types, validators	26	from rhodecode.model.validation_schema import types, validators
27	from rhodecode.translation import _	27	from rhodecode.translation import _
28	from rhodecode.lib.auth import check_password	28	from rhodecode.lib.auth import check_password
		29	from rhodecode.lib import helpers as h
29		30
30		31
31	@colander.deferred	32	@colander.deferred
@@ -40,6 +41,7 b' def deferred_user_password_validator(nod'
40	return _user_password_validator	41	return _user_password_validator
41		42
42		43
		44
43	class ChangePasswordSchema(colander.Schema):	45	class ChangePasswordSchema(colander.Schema):
44		46
45	current_password = colander.SchemaNode(	47	current_password = colander.SchemaNode(
@@ -123,3 +125,64 b' class UserSchema(colander.Schema):'
123		125
124	appstruct = super(UserSchema, self).deserialize(cstruct)	126	appstruct = super(UserSchema, self).deserialize(cstruct)
125	return appstruct	127	return appstruct
		128
		129
		130	@colander.deferred
		131	def deferred_user_email_in_emails_validator(node, kw):
		132	return colander.OneOf(kw.get('user_emails'))
		133
		134
		135	@colander.deferred
		136	def deferred_additional_email_validator(node, kw):
		137	emails = kw.get('user_emails')
		138
		139	def name_validator(node, value):
		140	if value in emails:
		141	msg = _('This e-mail address is already taken')
		142	raise colander.Invalid(node, msg)
		143	user = User.get_by_email(value, case_insensitive=True)
		144	if user:
		145	msg = _(u'This e-mail address is already taken')
		146	raise colander.Invalid(node, msg)
		147	c = colander.Email()
		148	return c(node, value)
		149	return name_validator
		150
		151
		152	@colander.deferred
		153	def deferred_user_email_in_emails_widget(node, kw):
		154	import deform.widget
		155	emails = [(email, email) for email in kw.get('user_emails')]
		156	return deform.widget.Select2Widget(values=emails)
		157
		158
		159	class UserProfileSchema(colander.Schema):
		160	username = colander.SchemaNode(
		161	colander.String(),
		162	validator=deferred_username_validator)
		163
		164	firstname = colander.SchemaNode(
		165	colander.String(), missing='', title='First name')
		166
		167	lastname = colander.SchemaNode(
		168	colander.String(), missing='', title='Last name')
		169
		170	email = colander.SchemaNode(
		171	colander.String(), widget=deferred_user_email_in_emails_widget,
		172	validator=deferred_user_email_in_emails_validator,
		173	description=h.literal(
		174	_('Additional emails can be specified at <a href="{}">extra emails</a> page.').format(
		175	'/_admin/my_account/emails')),
		176	)
		177
		178
		179	class AddEmailSchema(colander.Schema):
		180	current_password = colander.SchemaNode(
		181	colander.String(),
		182	missing=colander.required,
		183	widget=forms.widget.PasswordWidget(redisplay=True),
		184	validator=deferred_user_password_validator)
		185
		186	email = colander.SchemaNode(
		187	colander.String(), title='New Email',
		188	validator=deferred_additional_email_validator)

rhodecode/templates/admin/my_account/my_account_emails.mako

0 +1 -19

@@ -48,25 +48,7 b''
48	</div>	48	</div>
49		49
50	<div>	50	<div>
51	${h.secure_form(h.route_path('my_account_emails_add'), request=request)}	51	${c.form.render() \| n}
52	<div class="form">
53	<!-- fields -->
54	<div class="fields">
55	<div class="field">
56	<div class="label">
57	<label for="new_email">${_('New email address')}:</label>
58	</div>
59	<div class="input">
60	${h.text('new_email', class_='medium')}
61	</div>
62	</div>
63	<div class="buttons">
64	${h.submit('save',_('Add'),class_="btn")}
65	${h.reset('reset',_('Reset'),class_="btn")}
66	</div>
67	</div>
68	</div>
69	${h.end_form()}
70	</div>	52	</div>
71	</div>	53	</div>
72	</div>	54	</div>

rhodecode/templates/admin/my_account/my_account_profile_edit.mako

0 +5 -47

@@ -6,11 +6,10 b''
6	</div>	6	</div>
7		7
8	<div class="panel-body">	8	<div class="panel-body">
9	${h.secure_form(h.route_path('my_account_update'), class_='form', request=request)}
10	<% readonly = None %>	9	<% readonly = None %>
11	<% disabled = "" %>	10	<% disabled = "" %>
12		11
13	% if c.extern_type != 'rhodecode':	12	%if c.extern_type != 'rhodecode':
14	<% readonly = "readonly" %>	13	<% readonly = "readonly" %>
15	<% disabled = "disabled" %>	14	<% disabled = "disabled" %>
16	<div class="infoform">	15	<div class="infoform">
@@ -24,7 +23,7 b''
24	<label for="username">${_('Username')}:</label>	23	<label for="username">${_('Username')}:</label>
25	</div>	24	</div>
26	<div class="input">	25	<div class="input">
27	${h.text('username', class_='input-valuedisplay', readonly=readonly)}	26	${c.user.username}
28	</div>	27	</div>
29	</div>	28	</div>
30		29
@@ -33,7 +32,7 b''
33	<label for="name">${_('First Name')}:</label>	32	<label for="name">${_('First Name')}:</label>
34	</div>	33	</div>
35	<div class="input">	34	<div class="input">
36	${h.text('firstname', class_='input-valuedisplay', readonly=readonly)}	35	${c.user.firstname}
37	</div>	36	</div>
38	</div>	37	</div>
39		38
@@ -42,7 +41,7 b''
42	<label for="lastname">${_('Last Name')}:</label>	41	<label for="lastname">${_('Last Name')}:</label>
43	</div>	42	</div>
44	<div class="input-valuedisplay">	43	<div class="input-valuedisplay">
45	${h.text('lastname', class_='input-valuedisplay', readonly=readonly)}	44	${c.user.lastname}
46	</div>	45	</div>
47	</div>	46	</div>
48	</div>	47	</div>
@@ -64,48 +63,7 b''
64	%endif	63	%endif
65	</div>	64	</div>
66	</div>	65	</div>
67	<div class="field">	66	${c.form.render()\| n}
68	<div class="label">
69	<label for="username">${_('Username')}:</label>
70	</div>
71	<div class="input">
72	${h.text('username', class_='medium%s' % disabled, readonly=readonly)}
73	${h.hidden('extern_name', c.extern_name)}
74	${h.hidden('extern_type', c.extern_type)}
75	</div>
76	</div>
77	<div class="field">
78	<div class="label">
79	<label for="name">${_('First Name')}:</label>
80	</div>
81	<div class="input">
82	${h.text('firstname', class_="medium")}
83	</div>
84	</div>
85
86	<div class="field">
87	<div class="label">
88	<label for="lastname">${_('Last Name')}:</label>
89	</div>
90	<div class="input">
91	${h.text('lastname', class_="medium")}
92	</div>
93	</div>
94
95	<div class="field">
96	<div class="label">
97	<label for="email">${_('Email')}:</label>
98	</div>
99	<div class="input">
100	## we should be able to edit email !
101	${h.text('email', class_="medium")}
102	</div>
103	</div>
104
105	<div class="buttons">
106	${h.submit('save', _('Save'), class_="btn")}
107	${h.reset('reset', _('Reset'), class_="btn")}
108	</div>
109	</div>	67	</div>
110	</div>	68	</div>
111	% endif	69	% endif

rhodecode/tests/fixture.py

0 +8 -1

             import configobj
             from rhodecode.tests import *
-            from rhodecode.model.db import Repository, User, RepoGroup, UserGroup, Gist
+            from rhodecode.model.db import Repository, User, RepoGroup, UserGroup, Gist, UserEmailMap
             from rhodecode.model.meta import Session
             from rhodecode.model.repo import RepoModel
             from rhodecode.model.user import UserModel
                     UserModel().delete(userid)
                     Session().commit()
+                def create_additional_user_email(self, user, email):
+                    uem = UserEmailMap()
+                    uem.user = user
+                    uem.email = email
+                    Session().add(uem)
+                    return uem
                 def destroy_users(self, userid_iter):
                     for user_id in userid_iter:
                         if User.get_by_username(user_id):

rhodecode/tests/plugin.py

0 +4 0

                         self.user_ids.append(user.user_id)
                     return user
+                def create_additional_user_email(self, user, email):
+                    uem = self.fixture.create_additional_user_email(user=user, email=email)
+                    return uem
                 def create_user_with_group(self):
                     user = self.create_user()
                     user_group = self.create_user_group(members=[user])

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages