def test_request_password_change_invalid_user(self, create_inactive_account): if create_inactive_account: # Create an account, but do not activate it account_api.create_account(self.USERNAME, self.PASSWORD, self.EMAIL) account_api.request_password_change(self.EMAIL, self.ORIG_HOST, self.IS_SECURE) # Verify that no email messages have been sent self.assertEqual(len(mail.outbox), 0)
def password_change_request_handler(request): """Handle password change requests originating from the account page. Uses the Account API to email the user a link to the password reset page. Note: The next step in the password reset process (confirmation) is currently handled by student.views.password_reset_confirm_wrapper, a custom wrapper around Django's password reset confirmation view. Args: request (HttpRequest) Returns: HttpResponse: 200 if the email was sent successfully HttpResponse: 400 if there is no 'email' POST parameter, or if no user with the provided email exists HttpResponse: 403 if the client has been rate limited HttpResponse: 405 if using an unsupported HTTP method Example usage: POST /account/password """ limiter = BadRequestRateLimiter() if limiter.is_rate_limit_exceeded(request): AUDIT_LOG.warning("Password reset rate limit exceeded") return HttpResponseForbidden() user = request.user # Prefer logged-in user's email email = user.email if user.is_authenticated() else request.POST.get( 'email') if email: try: account_api.request_password_change(email, request.get_host(), request.is_secure()) except account_api.AccountUserNotFound: AUDIT_LOG.info("Invalid password reset attempt") # Increment the rate limit counter limiter.tick_bad_request_counter(request) return HttpResponseBadRequest( "No active user with the provided email address exists.") return HttpResponse(status=200) else: return HttpResponseBadRequest("No email address provided.")
def test_request_password_change(self): # Create and activate an account activation_key = account_api.create_account(self.USERNAME, self.PASSWORD, self.EMAIL) account_api.activate_account(activation_key) # Request a password change account_api.request_password_change(self.EMAIL, self.ORIG_HOST, self.IS_SECURE) # Verify that one email message has been sent self.assertEqual(len(mail.outbox), 1) # Verify that the body of the message contains something that looks # like an activation link email_body = mail.outbox[0].body result = re.search('(?P<url>https?://[^\s]+)', email_body) self.assertIsNot(result, None)
def password_change_request_handler(request): """Handle password change requests originating from the account page. Uses the Account API to email the user a link to the password reset page. Note: The next step in the password reset process (confirmation) is currently handled by student.views.password_reset_confirm_wrapper, a custom wrapper around Django's password reset confirmation view. Args: request (HttpRequest) Returns: HttpResponse: 200 if the email was sent successfully HttpResponse: 400 if there is no 'email' POST parameter, or if no user with the provided email exists HttpResponse: 403 if the client has been rate limited HttpResponse: 405 if using an unsupported HTTP method Example usage: POST /account/password """ limiter = BadRequestRateLimiter() if limiter.is_rate_limit_exceeded(request): AUDIT_LOG.warning("Password reset rate limit exceeded") return HttpResponseForbidden() user = request.user # Prefer logged-in user's email email = user.email if user.is_authenticated() else request.POST.get('email') if email: try: account_api.request_password_change(email, request.get_host(), request.is_secure()) except account_api.AccountUserNotFound: AUDIT_LOG.info("Invalid password reset attempt") # Increment the rate limit counter limiter.tick_bad_request_counter(request) return HttpResponseBadRequest("No active user with the provided email address exists.") return HttpResponse(status=200) else: return HttpResponseBadRequest("No email address provided.")