def test_new_password(self):
""" Verifies the recovery view ("reset" mode) with a request in which the confirmation password
matches the given password and the password is different form the current one. In this scenario,
the user's password is changed and the action is logged.
"""
# Test case: the user provides a new password, which can be replaced
url_params = {
'user_id': b64(force_str(self.user.id)),
'token': tokens.make_token(self.user)
}
response = self.client.post(reverse_lazy('accounts:reset',
kwargs=url_params),
data={
'password': '******',
'repeat': 'asdfgh123'
},
follow=True)
# The action should have been logged - check the action category (account control) and status code (200)
self.assertEqual(response.status_code, 200)
self.assertEqual(len(ActionLog.objects.all()), 1)
self.assertEqual(ActionLog.objects.latest('action_date').category, 1)
self.assertEqual(ActionLog.objects.latest('action_date').status, 200)
# The user's password changed - test this
self.user.refresh_from_db()
self.assertTrue(self.user.check_password('asdfgh123'))
def test_tampered_POST(self):
""" Verifies the recovery view ("reset" mode) with a purposely altered request in order to edit another user.
This alternate path may lead to a security breach, therefore the attempt is immediately blocked and forbidden
further access into the system.
"""
# Test case: invalid but possibly valid user data is used instead of the expected user
u = User(email_address='*****@*****.**')
u.set_password('asdfg123')
u.id = 3
response = self.client.post(reverse_lazy('accounts:reset',
kwargs={
'user_id':
b64(force_str(u.id)),
'token':
tokens.make_token(u)
}),
follow=True)
# The request must have failed abruptly - the action should have been logged and a HTTP 403 Forbidden should have been returned
self.assertEqual(response.status_code, 403)
self.assertEqual(len(ActionLog.objects.all()), 1)
self.assertEqual(ActionLog.objects.latest('action_date').category, 1)
self.assertEqual(ActionLog.objects.latest('action_date').status, 403)
def test_same_password(self):
""" Verifies the recovery view ("reset" mode) with a request in which the confirmation password
matches the given password, but this one matches the current user password. In this alternate
path, the request cannot be completed and the action is logged.
"""
# Test case: the user provides the very same password as a replacement for his current one
url_params = {
'user_id': b64(force_str(self.user.id)),
'token': tokens.make_token(self.user)
}
response = self.client.post(reverse_lazy('accounts:reset',
kwargs=url_params),
data={
'password': '******',
'repeat': 'asdfg123'
},
follow=True)
# The action should have been logged - check the action category (account control) and status code (401)
self.assertEqual(response.status_code, 401)
self.assertEqual(len(ActionLog.objects.all()), 1)
self.assertEqual(ActionLog.objects.latest('action_date').category, 1)
self.assertEqual(ActionLog.objects.latest('action_date').status, 401)
def test_wrong_passwords(self):
""" Verifies the recovery view ("reset" mode) with a request in which the confirmation password
does not match the provided password. In this alternate path, the request cannot be completed and
the action is logged.
"""
# Test case: the user provides the very same password as a replacement for his current one
url_params = {
'user_id': b64(force_str(self.user.id)),
'token': tokens.make_token(self.user)
}
response = self.client.post(reverse_lazy('accounts:reset',
kwargs=url_params),
data={
'password': '******',
'repeat': 'asdfgh124'
},
follow=True)
# The password is not changed - the action is logged and the response is an unauthorized action (401)
self.assertEqual(response.status_code, 401)
self.assertEqual(len(ActionLog.objects.all()), 1)
self.assertEqual(ActionLog.objects.latest('action_date').category, 1)
self.assertEqual(ActionLog.objects.latest('action_date').status, 401)