def test_get_anonymous(self):
response = self.client.get(reverse("account_password"))
self.assertRedirects(
response,
reverse("account_password_reset"),
fetch_redirect_response=False
)
def test_post_required(self):
email_confirmation = self.signup()
response = self.client.post(reverse("account_confirm_email", kwargs={"key": email_confirmation.key}), {})
self.assertRedirects(
response,
reverse(settings.ACCOUNT_EMAIL_CONFIRMATION_ANONYMOUS_REDIRECT_URL),
fetch_redirect_response=False
)
def test_post_required(self):
email_confirmation = self.signup()
response = self.client.post(
reverse("account_confirm_email",
kwargs={"key": email_confirmation.key}), {})
self.assertRedirects(
response,
reverse(
settings.ACCOUNT_EMAIL_CONFIRMATION_ANONYMOUS_REDIRECT_URL),
fetch_redirect_response=False)
def test_post_authenticated_success_no_mail(self):
self.signup()
data = {
"password_current": "bar",
"password_new": "new-bar",
"password_new_confirm": "new-bar",
}
response = self.client.post(reverse("account_password"), data)
self.assertRedirects(
response,
reverse(settings.ACCOUNT_PASSWORD_CHANGE_REDIRECT_URL),
fetch_redirect_response=False)
self.assertEqual(len(mail.outbox), 0)
def test_post_authenticated_success_no_mail(self):
self.signup()
data = {
"password_current": "bar",
"password_new": "new-bar",
"password_new_confirm": "new-bar",
}
response = self.client.post(reverse("account_password"), data)
self.assertRedirects(
response,
reverse(settings.ACCOUNT_PASSWORD_CHANGE_REDIRECT_URL),
fetch_redirect_response=False
)
self.assertEqual(len(mail.outbox), 0)
def test_post_authenticated_success(self):
user = self.signup()
data = {
"password_current": "bar",
"password_new": "new-bar",
"password_new_confirm": "new-bar",
}
response = self.client.post(reverse("account_password"), data)
self.assertRedirects(
response,
reverse(settings.ACCOUNT_PASSWORD_CHANGE_REDIRECT_URL),
fetch_redirect_response=False)
updated_user = User.objects.get(username=user.username)
self.assertNotEqual(user.password, updated_user.password)
self.assertEqual(len(mail.outbox), 1)
def test_post_anonymous(self):
response = self.client.post(reverse("account_logout"), {})
self.assertRedirects(
response,
settings.ACCOUNT_LOGOUT_REDIRECT_URL,
fetch_redirect_response=False
)
def test_post_authenticated_success(self):
user = self.signup()
data = {
"password_current": "bar",
"password_new": "new-bar",
"password_new_confirm": "new-bar",
}
response = self.client.post(reverse("account_password"), data)
self.assertRedirects(
response,
reverse(settings.ACCOUNT_PASSWORD_CHANGE_REDIRECT_URL),
fetch_redirect_response=False
)
updated_user = User.objects.get(username=user.username)
self.assertNotEqual(user.password, updated_user.password)
self.assertEqual(len(mail.outbox), 1)
def default_redirect(request, fallback_url, **kwargs):
redirect_field_name = kwargs.get("redirect_field_name", "next")
next_url = request.POST.get(redirect_field_name,
request.GET.get(redirect_field_name))
if not next_url:
# try the session if available
if hasattr(request, "session"):
session_key_value = kwargs.get("session_key_value", "redirect_to")
if session_key_value in request.session:
next_url = request.session[session_key_value]
del request.session[session_key_value]
is_safe = functools.partial(
ensure_safe_url,
allowed_protocols=kwargs.get("allowed_protocols"),
allowed_host=request.get_host())
if next_url and is_safe(next_url):
return next_url
else:
try:
fallback_url = reverse(fallback_url)
except NoReverseMatch:
if callable(fallback_url):
raise
if "/" not in fallback_url and "." not in fallback_url:
raise
# assert the fallback URL is safe to return to caller. if it is
# determined unsafe then raise an exception as the fallback value comes
# from the a source the developer choose.
is_safe(fallback_url, raise_on_fail=True)
return fallback_url
def process_request(self, request):
if is_authenticated(request.user) and not request.user.is_staff:
next_url = resolve(request.path).url_name
# Authenticated users must be allowed to access
# "change password" page and "log out" page.
# even if password is expired.
if next_url not in [settings.ACCOUNT_PASSWORD_CHANGE_REDIRECT_URL,
settings.ACCOUNT_LOGOUT_URL,
]:
if check_password_expired(request.user):
signals.password_expired.send(sender=self, user=request.user)
messages.add_message(
request,
messages.WARNING,
_("Your password has expired. Please save a new password.")
)
redirect_field_name = REDIRECT_FIELD_NAME
change_password_url = reverse(settings.ACCOUNT_PASSWORD_CHANGE_REDIRECT_URL)
url_bits = list(urlparse(change_password_url))
querystring = QueryDict(url_bits[4], mutable=True)
querystring[redirect_field_name] = next_url
url_bits[4] = querystring.urlencode(safe="/")
return HttpResponseRedirect(urlunparse(url_bits))
def process_request(self, request):
if is_authenticated(request.user) and not request.user.is_staff:
next_url = resolve(request.path).url_name
# Authenticated users must be allowed to access
# "change password" page and "log out" page.
# even if password is expired.
if next_url not in [
settings.ACCOUNT_PASSWORD_CHANGE_REDIRECT_URL,
settings.ACCOUNT_LOGOUT_URL,
]:
if check_password_expired(request.user):
signals.password_expired.send(sender=self,
user=request.user)
messages.add_message(
request, messages.WARNING,
_("Your password has expired. Please save a new password."
))
redirect_field_name = REDIRECT_FIELD_NAME
change_password_url = reverse(
settings.ACCOUNT_PASSWORD_CHANGE_REDIRECT_URL)
url_bits = list(urlparse(change_password_url))
querystring = QueryDict(url_bits[4], mutable=True)
querystring[redirect_field_name] = next_url
url_bits[4] = querystring.urlencode(safe="/")
return HttpResponseRedirect(urlunparse(url_bits))
def test_get_authenticated(self):
User.objects.create_user("foo", password="******")
self.client.login(username="******", password="******")
with self.settings(ACCOUNT_LOGIN_REDIRECT_URL="/logged-in/"):
response = self.client.get(reverse("account_signup"))
self.assertRedirects(response, "/logged-in/", fetch_redirect_response=False)
def default_redirect(request, fallback_url, **kwargs):
redirect_field_name = kwargs.get("redirect_field_name", "next")
next_url = request.POST.get(redirect_field_name, request.GET.get(redirect_field_name))
if not next_url:
# try the session if available
if hasattr(request, "session"):
session_key_value = kwargs.get("session_key_value", "redirect_to")
if session_key_value in request.session:
next_url = request.session[session_key_value]
del request.session[session_key_value]
is_safe = functools.partial(
ensure_safe_url,
allowed_protocols=kwargs.get("allowed_protocols"),
allowed_host=request.get_host()
)
if next_url and is_safe(next_url):
return next_url
else:
try:
fallback_url = reverse(fallback_url)
except NoReverseMatch:
if callable(fallback_url):
raise
if "/" not in fallback_url and "." not in fallback_url:
raise
# assert the fallback URL is safe to return to caller. if it is
# determined unsafe then raise an exception as the fallback value comes
# from the a source the developer choose.
is_safe(fallback_url, raise_on_fail=True)
return fallback_url
def test_post_anonymous(self):
data = {
"password_current": "password",
"password_new": "new-password",
"password_new_confirm": "new-password",
}
response = self.client.post(reverse("account_password"), data)
self.assertEqual(response.status_code, 403)
def test_get_bad_user(self):
url = reverse("account_password_reset_token",
kwargs={
"uidb36": int_to_base36(100),
"token": "notoken",
})
response = self.client.get(url)
self.assertEqual(response.status_code, 404)
def test_post_auto_login(self):
email_confirmation = self.signup()
response = self.client.post(reverse("account_confirm_email", kwargs={"key": email_confirmation.key}), {})
self.assertRedirects(
response,
settings.ACCOUNT_EMAIL_CONFIRMATION_AUTHENTICATED_REDIRECT_URL,
fetch_redirect_response=False
)
def request_password_reset(self):
user = self.signup()
data = {
"email": user.email,
}
self.client.post(reverse("account_password_reset"), data)
parsed = urlparse(mail.outbox[0].body.strip())
return user, parsed.path
def test_post_not_required(self):
email_confirmation = self.signup()
response = self.client.post(reverse("account_confirm_email", kwargs={"key": email_confirmation.key}), {})
self.assertRedirects(
response,
settings.ACCOUNT_LOGIN_REDIRECT_URL,
fetch_redirect_response=False
)
def test_post_authenticated(self):
self.signup()
response = self.client.post(reverse("account_logout"), {})
self.assertRedirects(
response,
settings.ACCOUNT_LOGOUT_REDIRECT_URL,
fetch_redirect_response=False
)
def test_post_not_required(self):
email_confirmation = self.signup()
response = self.client.post(
reverse("account_confirm_email",
kwargs={"key": email_confirmation.key}), {})
self.assertRedirects(response,
settings.ACCOUNT_LOGIN_REDIRECT_URL,
fetch_redirect_response=False)
def request_password_reset(self):
user = self.signup()
data = {
"email": user.email,
}
self.client.post(reverse("account_password_reset"), data)
parsed = urlparse(mail.outbox[0].body.strip())
return user, parsed.path
def test_post_anonymous(self):
data = {
"password_current": "password",
"password_new": "new-password",
"password_new_confirm": "new-password",
}
response = self.client.post(reverse("account_password"), data)
self.assertEqual(response.status_code, 403)
def test_post(self):
data = {
"password": "******",
"password_confirm": "bar",
"email": "*****@*****.**",
}
response = self.client.post(reverse("account_signup"), data)
self.assertEqual(response.status_code, 302)
def signup(self):
data = {
"password": "******",
"password_confirm": "bar",
"email": "*****@*****.**",
"code": "abc123",
}
self.client.post(reverse("account_signup"), data)
def test_get_good_key(self):
email_confirmation = self.signup()
response = self.client.get(
reverse("account_confirm_email",
kwargs={"key": email_confirmation.key}))
self.assertEqual(response.status_code, 200)
self.assertEqual(response.template_name,
["account/email_confirm.html"])
def test_invitation_get_regular(self):
url = reverse(AccountAppConf.INVITE_USER_URL)
u = User.objects.create(username="******", is_active=True)
u.set_password(self.PASSWORD)
u.save()
self.client.login(username=u.username, password=self.PASSWORD)
with self.settings(ACCOUNT_INVITE_USER_STAFF_ONLY=True):
resp = self.client.get(url)
self.assertEqual(resp.status_code, 302)
self.assertRedirects(resp, '{}?next={}'.format(reverse('admin:login'), url))
with self.settings(ACCOUNT_INVITE_USER_STAFF_ONLY=False):
self.client.login(username=u.username, password=self.PASSWORD)
resp = self.client.get(url)
self.assertEqual(resp.status_code, 200)
self.assertEqual(resp.template_name, ['account/invite_user.html'])
def test_post(self):
data = {
"username": "******",
"password": "******",
"password_confirm": "bar",
"email": "*****@*****.**",
}
response = self.client.post(reverse("account_signup"), data)
self.assertEqual(response.status_code, 302)
def signup(self):
data = {
"username": "******",
"password": "******",
"password_confirm": "bar",
"email": "*****@*****.**",
"code": "abc123",
}
self.client.post(reverse("account_signup"), data)
def test_post_auto_login(self):
email_confirmation = self.signup()
response = self.client.post(
reverse("account_confirm_email",
kwargs={"key": email_confirmation.key}), {})
self.assertRedirects(
response,
settings.ACCOUNT_EMAIL_CONFIRMATION_AUTHENTICATED_REDIRECT_URL,
fetch_redirect_response=False)
def test_invitation_get_regular(self):
url = reverse(AccountAppConf.INVITE_USER_URL)
u = User.objects.create(username="******", is_active=True)
u.set_password(self.PASSWORD)
u.save()
self.client.login(username=u.username, password=self.PASSWORD)
with self.settings(ACCOUNT_INVITE_USER_STAFF_ONLY=True):
resp = self.client.get(url)
self.assertEqual(resp.status_code, 302)
self.assertRedirects(
resp, '{}?next={}'.format(reverse('admin:login'), url))
with self.settings(ACCOUNT_INVITE_USER_STAFF_ONLY=False):
self.client.login(username=u.username, password=self.PASSWORD)
resp = self.client.get(url)
self.assertEqual(resp.status_code, 200)
self.assertEqual(resp.template_name, ['account/invite_user.html'])
def test_invitation_get_staff(self):
url = reverse(AccountAppConf.INVITE_USER_URL)
u = User.objects.create(username="******", is_active=True, is_staff=True)
u.set_password(self.PASSWORD)
u.save()
self.client.login(username=u.username, password=self.PASSWORD)
resp = self.client.get(url)
self.assertEqual(resp.status_code, 200)
self.assertEqual(resp.template_name, ['account/invite_user.html'])
def test_get_authenticated(self):
User.objects.create_user("foo", password="******")
self.client.login(username="******", password="******")
with self.settings(ACCOUNT_LOGIN_REDIRECT_URL="/logged-in/"):
response = self.client.get(reverse("account_signup"))
self.assertRedirects(response,
"/logged-in/",
fetch_redirect_response=False)
def test_invitation_get_staff(self):
url = reverse(AccountAppConf.INVITE_USER_URL)
u = User.objects.create(username="******", is_active=True, is_staff=True)
u.set_password(self.PASSWORD)
u.save()
self.client.login(username=u.username, password=self.PASSWORD)
resp = self.client.get(url)
self.assertEqual(resp.status_code, 200)
self.assertEqual(resp.template_name, ['account/invite_user.html'])
def test_invitation_post(self):
url = reverse(AccountAppConf.INVITE_USER_URL)
u = User.objects.create(username="******", is_active=True, is_staff=True)
u.set_password(self.PASSWORD)
u.save()
self.client.login(username=u.username, password=self.PASSWORD)
data = {'email': '*****@*****.**'}
resp = self.client.post(url, data)
self.assertRedirects(resp, url)
q = SignupCode.objects.filter(email=data['email'])
self.assertEqual(q.count(), 1)
code = q.get().code
registration_url = '{}?code={}'.format(reverse("account_signup"), code)
self.client.logout()
reg = self.client.get(registration_url)
self.assertEqual(reg.status_code, 200)
self.assertEqual(reg.template_name, ['account/signup.html'])
def signup(self):
data = {
"username": "******",
"password": "******",
"password_confirm": "bar",
"email": "*****@*****.**",
"code": "abc123",
}
self.client.post(reverse("account_signup"), data)
return EmailConfirmation.objects.get()
def test_post_success(self):
self.signup()
data = {
"username": "******",
"password": "******",
}
response = self.client.post(reverse("account_login"), data)
self.assertRedirects(response,
settings.ACCOUNT_LOGIN_REDIRECT_URL,
fetch_redirect_response=False)
def test_get_reset(self):
user, url = self.request_password_reset()
response = self.client.get(url)
self.assertRedirects(response,
reverse("account_password_reset_token",
kwargs={
"uidb36": int_to_base36(user.id),
"token": INTERNAL_RESET_URL_TOKEN,
}),
fetch_redirect_response=False)
def test_get_bad_user(self):
url = reverse(
"account_password_reset_token",
kwargs={
"uidb36": int_to_base36(100),
"token": "notoken",
}
)
response = self.client.get(url)
self.assertEqual(response.status_code, 404)
def test_invitation_post(self):
url = reverse(AccountAppConf.INVITE_USER_URL)
u = User.objects.create(username="******", is_active=True, is_staff=True)
u.set_password(self.PASSWORD)
u.save()
self.client.login(username=u.username, password=self.PASSWORD)
data = {'email': '*****@*****.**'}
resp = self.client.post(url, data)
self.assertRedirects(resp, url)
q = SignupCode.objects.filter(email=data['email'])
self.assertEqual(q.count(), 1)
code = q.get().code
registration_url = '{}?code={}'.format(reverse("account_signup"), code)
self.client.logout()
reg = self.client.get(registration_url)
self.assertEqual(reg.status_code, 200)
self.assertEqual(reg.template_name, ['account/signup.html'])
def test_get_not_expired(self):
"""
Ensure authenticated user can retrieve account settings page
without "password change" redirect.
"""
self.client.login(username=self.username, password=self.password)
# get account settings page (could be any application page)
response = self.client.get(reverse("account_settings"))
self.assertEquals(response.status_code, 200)
def test_get_next_url(self):
next_url = "/next-url/"
data = {
"username": "******",
"password": "******",
"password_confirm": "bar",
"email": "*****@*****.**",
}
response = self.client.post("{}?next={}".format(reverse("account_signup"), next_url), data)
self.assertRedirects(response, next_url, fetch_redirect_response=False)
def test_closed(self):
with self.settings(ACCOUNT_OPEN_SIGNUP=False):
data = {
"username": "******",
"password": "******",
"password_confirm": "bar",
"email": "*****@*****.**",
}
response = self.client.post(reverse("account_signup"), data)
self.assertEqual(response.status_code, 200)
self.assertEqual(response.template_name, "account/signup_closed.html")
def signup(self):
data = {
"username": "******",
"password": "******",
"password_confirm": "bar",
"email": "*****@*****.**",
"code": "abc123",
}
self.client.post(reverse("account_signup"), data)
mail.outbox = []
return User.objects.get(username="******")
def test_created_user(self):
data = {
"password": "******",
"password_confirm": "bar",
"email": "*****@*****.**",
}
self.client.post(reverse("account_signup"), data)
user = User.objects.get(email="*****@*****.**")
self.assertEqual(user.username, "*****@*****.**")
self.assertEqual(user.email, "*****@*****.**")
def test_get_no_history(self):
"""
Ensure authenticated user without password history can retrieve
account settings page without "password change" redirect.
"""
self.client.login(username=self.username, password=self.password)
with override_settings(ACCOUNT_PASSWORD_USE_HISTORY=True):
# get account settings page (could be any application page)
response = self.client.get(reverse("account_settings"))
self.assertEquals(response.status_code, 200)
def test_get_abuse_reset_token(self):
user = self.signup()
url = reverse("account_password_reset_token",
kwargs={
"uidb36": int_to_base36(user.id),
"token": INTERNAL_RESET_URL_TOKEN,
})
response = self.client.get(url)
self.assertEqual(response.status_code, 200)
self.assertTemplateUsed(response,
PasswordResetTokenView.template_name_fail)
def test_get_next_url(self):
next_url = "/next-url/"
data = {
"username": "******",
"password": "******",
"password_confirm": "bar",
"email": "*****@*****.**",
}
response = self.client.post(
"{}?next={}".format(reverse("account_signup"), next_url), data)
self.assertRedirects(response, next_url, fetch_redirect_response=False)
def signup(self):
data = {
"username": "******",
"password": "******",
"password_confirm": "bar",
"email": "*****@*****.**",
"code": "abc123",
}
self.client.post(reverse("account_signup"), data)
mail.outbox = []
return User.objects.get(username="******")
def test_get_expired(self):
"""
Ensure authenticated user is redirected to change password
when retrieving account settings page if password is expired.
"""
# set PasswordHistory timestamp in past so password is expired.
self.history.timestamp = datetime.datetime.now(
tz=pytz.UTC) - datetime.timedelta(days=1,
seconds=self.expiry.expiry)
self.history.save()
self.client.login(username=self.username, password=self.password)
# get account settings page (could be any application page)
url_name = "account_settings"
response = self.client.get(reverse(url_name))
# verify desired page is set as "?next=" in redirect URL
redirect_url = "{}?next={}".format(reverse("account_password"),
url_name)
self.assertRedirects(response, redirect_url)
def test_post_success(self):
self.signup()
data = {
"username": "******",
"password": "******",
}
response = self.client.post(reverse("account_login"), data)
self.assertRedirects(
response,
settings.ACCOUNT_LOGIN_REDIRECT_URL,
fetch_redirect_response=False
)
def test_closed(self):
with self.settings(ACCOUNT_OPEN_SIGNUP=False):
data = {
"username": "******",
"password": "******",
"password_confirm": "bar",
"email": "*****@*****.**",
}
response = self.client.post(reverse("account_signup"), data)
self.assertEqual(response.status_code, 200)
self.assertEqual(response.template_name,
"account/signup_closed.html")
def test_get_abuse_reset_token(self):
user = self.signup()
url = reverse(
"account_password_reset_token",
kwargs={
"uidb36": int_to_base36(user.id),
"token": INTERNAL_RESET_URL_TOKEN,
}
)
response = self.client.get(url)
self.assertEqual(response.status_code, 200)
self.assertTemplateUsed(response,
PasswordResetTokenView.template_name_fail)
def test_post_reset(self):
user, url = self.request_password_reset()
response = self.client.get(url)
self.assertEqual(response.status_code, 302)
data = {
"password": "******",
"password_confirm": "new-password",
}
response = self.client.post(response["Location"], data)
self.assertRedirects(response,
reverse(
settings.ACCOUNT_PASSWORD_RESET_REDIRECT_URL),
fetch_redirect_response=False)
def test_valid_code(self):
signup_code = SignupCode.create()
signup_code.save()
with self.settings(ACCOUNT_OPEN_SIGNUP=False):
data = {
"username": "******",
"password": "******",
"password_confirm": "bar",
"email": "*****@*****.**",
"code": signup_code.code,
}
response = self.client.post(reverse("account_signup"), data)
self.assertEqual(response.status_code, 302)
def test_valid_code(self):
signup_code = SignupCode.create()
signup_code.save()
with self.settings(ACCOUNT_OPEN_SIGNUP=False):
data = {
"username": "******",
"password": "******",
"password_confirm": "bar",
"email": "*****@*****.**",
"code": signup_code.code,
}
response = self.client.post(reverse("account_signup"), data)
self.assertEqual(response.status_code, 302)
def test_session_next_url(self):
next_url = "/next-url/"
session = self.client.session
session["redirect_to"] = next_url
session.save()
data = {
"username": "******",
"password": "******",
"password_confirm": "bar",
"email": "*****@*****.**",
}
response = self.client.post(reverse("account_signup"), data)
self.assertRedirects(response, next_url, fetch_redirect_response=False)
def test_post_authenticated(self):
User.objects.create_user("foo", password="******")
self.client.login(username="******", password="******")
with self.settings(ACCOUNT_LOGIN_REDIRECT_URL="/logged-in/"):
data = {
"username": "******",
"password": "******",
"password_confirm": "bar",
"email": "*****@*****.**",
"code": "abc123",
}
response = self.client.post(reverse("account_signup"), data)
self.assertEqual(response.status_code, 404)
def test_get_reset(self):
user, url = self.request_password_reset()
response = self.client.get(url)
self.assertRedirects(
response,
reverse(
"account_password_reset_token",
kwargs={
"uidb36": int_to_base36(user.id),
"token": "set-password",
}
),
fetch_redirect_response=False
)
def test_post_reset(self):
user, url = self.request_password_reset()
response = self.client.get(url)
self.assertEqual(response.status_code, 302)
data = {
"password": "******",
"password_confirm": "new-password",
}
response = self.client.post(response["Location"], data)
self.assertRedirects(
response,
reverse(settings.ACCOUNT_PASSWORD_RESET_REDIRECT_URL),
fetch_redirect_response=False
)
def test_register_with_moderation(self):
signup_code = SignupCode.create()
signup_code.save()
with self.settings(ACCOUNT_OPEN_SIGNUP=True, ACCOUNT_APPROVAL_REQUIRED=True):
data = {
"username": "******",
"password": "******",
"password_confirm": "bar",
"email": "*****@*****.**",
"code": signup_code.code,
}
response = self.client.post(reverse("account_signup"), data)
self.assertEqual(response.status_code, 200)
self.assertFalse(self.client.session.get('_auth_user_id'))
u = User.objects.get(username=data['username'])
self.assertFalse(u.is_active)
