def test_get_anonymous(self): response = self.client.get(reverse("account_password")) self.assertRedirects( response, reverse("account_password_reset"), fetch_redirect_response=False )
def test_post_required(self): email_confirmation = self.signup() response = self.client.post(reverse("account_confirm_email", kwargs={"key": email_confirmation.key}), {}) self.assertRedirects( response, reverse(settings.ACCOUNT_EMAIL_CONFIRMATION_ANONYMOUS_REDIRECT_URL), fetch_redirect_response=False )
def test_post_required(self): email_confirmation = self.signup() response = self.client.post( reverse("account_confirm_email", kwargs={"key": email_confirmation.key}), {}) self.assertRedirects( response, reverse( settings.ACCOUNT_EMAIL_CONFIRMATION_ANONYMOUS_REDIRECT_URL), fetch_redirect_response=False)
def test_post_authenticated_success_no_mail(self): self.signup() data = { "password_current": "bar", "password_new": "new-bar", "password_new_confirm": "new-bar", } response = self.client.post(reverse("account_password"), data) self.assertRedirects( response, reverse(settings.ACCOUNT_PASSWORD_CHANGE_REDIRECT_URL), fetch_redirect_response=False) self.assertEqual(len(mail.outbox), 0)
def test_post_authenticated_success_no_mail(self): self.signup() data = { "password_current": "bar", "password_new": "new-bar", "password_new_confirm": "new-bar", } response = self.client.post(reverse("account_password"), data) self.assertRedirects( response, reverse(settings.ACCOUNT_PASSWORD_CHANGE_REDIRECT_URL), fetch_redirect_response=False ) self.assertEqual(len(mail.outbox), 0)
def test_post_authenticated_success(self): user = self.signup() data = { "password_current": "bar", "password_new": "new-bar", "password_new_confirm": "new-bar", } response = self.client.post(reverse("account_password"), data) self.assertRedirects( response, reverse(settings.ACCOUNT_PASSWORD_CHANGE_REDIRECT_URL), fetch_redirect_response=False) updated_user = User.objects.get(username=user.username) self.assertNotEqual(user.password, updated_user.password) self.assertEqual(len(mail.outbox), 1)
def test_post_anonymous(self): response = self.client.post(reverse("account_logout"), {}) self.assertRedirects( response, settings.ACCOUNT_LOGOUT_REDIRECT_URL, fetch_redirect_response=False )
def test_post_authenticated_success(self): user = self.signup() data = { "password_current": "bar", "password_new": "new-bar", "password_new_confirm": "new-bar", } response = self.client.post(reverse("account_password"), data) self.assertRedirects( response, reverse(settings.ACCOUNT_PASSWORD_CHANGE_REDIRECT_URL), fetch_redirect_response=False ) updated_user = User.objects.get(username=user.username) self.assertNotEqual(user.password, updated_user.password) self.assertEqual(len(mail.outbox), 1)
def default_redirect(request, fallback_url, **kwargs): redirect_field_name = kwargs.get("redirect_field_name", "next") next_url = request.POST.get(redirect_field_name, request.GET.get(redirect_field_name)) if not next_url: # try the session if available if hasattr(request, "session"): session_key_value = kwargs.get("session_key_value", "redirect_to") if session_key_value in request.session: next_url = request.session[session_key_value] del request.session[session_key_value] is_safe = functools.partial( ensure_safe_url, allowed_protocols=kwargs.get("allowed_protocols"), allowed_host=request.get_host()) if next_url and is_safe(next_url): return next_url else: try: fallback_url = reverse(fallback_url) except NoReverseMatch: if callable(fallback_url): raise if "/" not in fallback_url and "." not in fallback_url: raise # assert the fallback URL is safe to return to caller. if it is # determined unsafe then raise an exception as the fallback value comes # from the a source the developer choose. is_safe(fallback_url, raise_on_fail=True) return fallback_url
def process_request(self, request): if is_authenticated(request.user) and not request.user.is_staff: next_url = resolve(request.path).url_name # Authenticated users must be allowed to access # "change password" page and "log out" page. # even if password is expired. if next_url not in [settings.ACCOUNT_PASSWORD_CHANGE_REDIRECT_URL, settings.ACCOUNT_LOGOUT_URL, ]: if check_password_expired(request.user): signals.password_expired.send(sender=self, user=request.user) messages.add_message( request, messages.WARNING, _("Your password has expired. Please save a new password.") ) redirect_field_name = REDIRECT_FIELD_NAME change_password_url = reverse(settings.ACCOUNT_PASSWORD_CHANGE_REDIRECT_URL) url_bits = list(urlparse(change_password_url)) querystring = QueryDict(url_bits[4], mutable=True) querystring[redirect_field_name] = next_url url_bits[4] = querystring.urlencode(safe="/") return HttpResponseRedirect(urlunparse(url_bits))
def process_request(self, request): if is_authenticated(request.user) and not request.user.is_staff: next_url = resolve(request.path).url_name # Authenticated users must be allowed to access # "change password" page and "log out" page. # even if password is expired. if next_url not in [ settings.ACCOUNT_PASSWORD_CHANGE_REDIRECT_URL, settings.ACCOUNT_LOGOUT_URL, ]: if check_password_expired(request.user): signals.password_expired.send(sender=self, user=request.user) messages.add_message( request, messages.WARNING, _("Your password has expired. Please save a new password." )) redirect_field_name = REDIRECT_FIELD_NAME change_password_url = reverse( settings.ACCOUNT_PASSWORD_CHANGE_REDIRECT_URL) url_bits = list(urlparse(change_password_url)) querystring = QueryDict(url_bits[4], mutable=True) querystring[redirect_field_name] = next_url url_bits[4] = querystring.urlencode(safe="/") return HttpResponseRedirect(urlunparse(url_bits))
def test_get_authenticated(self): User.objects.create_user("foo", password="******") self.client.login(username="******", password="******") with self.settings(ACCOUNT_LOGIN_REDIRECT_URL="/logged-in/"): response = self.client.get(reverse("account_signup")) self.assertRedirects(response, "/logged-in/", fetch_redirect_response=False)
def default_redirect(request, fallback_url, **kwargs): redirect_field_name = kwargs.get("redirect_field_name", "next") next_url = request.POST.get(redirect_field_name, request.GET.get(redirect_field_name)) if not next_url: # try the session if available if hasattr(request, "session"): session_key_value = kwargs.get("session_key_value", "redirect_to") if session_key_value in request.session: next_url = request.session[session_key_value] del request.session[session_key_value] is_safe = functools.partial( ensure_safe_url, allowed_protocols=kwargs.get("allowed_protocols"), allowed_host=request.get_host() ) if next_url and is_safe(next_url): return next_url else: try: fallback_url = reverse(fallback_url) except NoReverseMatch: if callable(fallback_url): raise if "/" not in fallback_url and "." not in fallback_url: raise # assert the fallback URL is safe to return to caller. if it is # determined unsafe then raise an exception as the fallback value comes # from the a source the developer choose. is_safe(fallback_url, raise_on_fail=True) return fallback_url
def test_post_anonymous(self): data = { "password_current": "password", "password_new": "new-password", "password_new_confirm": "new-password", } response = self.client.post(reverse("account_password"), data) self.assertEqual(response.status_code, 403)
def test_get_bad_user(self): url = reverse("account_password_reset_token", kwargs={ "uidb36": int_to_base36(100), "token": "notoken", }) response = self.client.get(url) self.assertEqual(response.status_code, 404)
def test_post_auto_login(self): email_confirmation = self.signup() response = self.client.post(reverse("account_confirm_email", kwargs={"key": email_confirmation.key}), {}) self.assertRedirects( response, settings.ACCOUNT_EMAIL_CONFIRMATION_AUTHENTICATED_REDIRECT_URL, fetch_redirect_response=False )
def request_password_reset(self): user = self.signup() data = { "email": user.email, } self.client.post(reverse("account_password_reset"), data) parsed = urlparse(mail.outbox[0].body.strip()) return user, parsed.path
def test_post_not_required(self): email_confirmation = self.signup() response = self.client.post(reverse("account_confirm_email", kwargs={"key": email_confirmation.key}), {}) self.assertRedirects( response, settings.ACCOUNT_LOGIN_REDIRECT_URL, fetch_redirect_response=False )
def test_post_authenticated(self): self.signup() response = self.client.post(reverse("account_logout"), {}) self.assertRedirects( response, settings.ACCOUNT_LOGOUT_REDIRECT_URL, fetch_redirect_response=False )
def test_post_not_required(self): email_confirmation = self.signup() response = self.client.post( reverse("account_confirm_email", kwargs={"key": email_confirmation.key}), {}) self.assertRedirects(response, settings.ACCOUNT_LOGIN_REDIRECT_URL, fetch_redirect_response=False)
def test_post(self): data = { "password": "******", "password_confirm": "bar", "email": "*****@*****.**", } response = self.client.post(reverse("account_signup"), data) self.assertEqual(response.status_code, 302)
def signup(self): data = { "password": "******", "password_confirm": "bar", "email": "*****@*****.**", "code": "abc123", } self.client.post(reverse("account_signup"), data)
def test_get_good_key(self): email_confirmation = self.signup() response = self.client.get( reverse("account_confirm_email", kwargs={"key": email_confirmation.key})) self.assertEqual(response.status_code, 200) self.assertEqual(response.template_name, ["account/email_confirm.html"])
def test_invitation_get_regular(self): url = reverse(AccountAppConf.INVITE_USER_URL) u = User.objects.create(username="******", is_active=True) u.set_password(self.PASSWORD) u.save() self.client.login(username=u.username, password=self.PASSWORD) with self.settings(ACCOUNT_INVITE_USER_STAFF_ONLY=True): resp = self.client.get(url) self.assertEqual(resp.status_code, 302) self.assertRedirects(resp, '{}?next={}'.format(reverse('admin:login'), url)) with self.settings(ACCOUNT_INVITE_USER_STAFF_ONLY=False): self.client.login(username=u.username, password=self.PASSWORD) resp = self.client.get(url) self.assertEqual(resp.status_code, 200) self.assertEqual(resp.template_name, ['account/invite_user.html'])
def test_post(self): data = { "username": "******", "password": "******", "password_confirm": "bar", "email": "*****@*****.**", } response = self.client.post(reverse("account_signup"), data) self.assertEqual(response.status_code, 302)
def signup(self): data = { "username": "******", "password": "******", "password_confirm": "bar", "email": "*****@*****.**", "code": "abc123", } self.client.post(reverse("account_signup"), data)
def test_post_auto_login(self): email_confirmation = self.signup() response = self.client.post( reverse("account_confirm_email", kwargs={"key": email_confirmation.key}), {}) self.assertRedirects( response, settings.ACCOUNT_EMAIL_CONFIRMATION_AUTHENTICATED_REDIRECT_URL, fetch_redirect_response=False)
def test_invitation_get_regular(self): url = reverse(AccountAppConf.INVITE_USER_URL) u = User.objects.create(username="******", is_active=True) u.set_password(self.PASSWORD) u.save() self.client.login(username=u.username, password=self.PASSWORD) with self.settings(ACCOUNT_INVITE_USER_STAFF_ONLY=True): resp = self.client.get(url) self.assertEqual(resp.status_code, 302) self.assertRedirects( resp, '{}?next={}'.format(reverse('admin:login'), url)) with self.settings(ACCOUNT_INVITE_USER_STAFF_ONLY=False): self.client.login(username=u.username, password=self.PASSWORD) resp = self.client.get(url) self.assertEqual(resp.status_code, 200) self.assertEqual(resp.template_name, ['account/invite_user.html'])
def test_invitation_get_staff(self): url = reverse(AccountAppConf.INVITE_USER_URL) u = User.objects.create(username="******", is_active=True, is_staff=True) u.set_password(self.PASSWORD) u.save() self.client.login(username=u.username, password=self.PASSWORD) resp = self.client.get(url) self.assertEqual(resp.status_code, 200) self.assertEqual(resp.template_name, ['account/invite_user.html'])
def test_invitation_post(self): url = reverse(AccountAppConf.INVITE_USER_URL) u = User.objects.create(username="******", is_active=True, is_staff=True) u.set_password(self.PASSWORD) u.save() self.client.login(username=u.username, password=self.PASSWORD) data = {'email': '*****@*****.**'} resp = self.client.post(url, data) self.assertRedirects(resp, url) q = SignupCode.objects.filter(email=data['email']) self.assertEqual(q.count(), 1) code = q.get().code registration_url = '{}?code={}'.format(reverse("account_signup"), code) self.client.logout() reg = self.client.get(registration_url) self.assertEqual(reg.status_code, 200) self.assertEqual(reg.template_name, ['account/signup.html'])
def signup(self): data = { "username": "******", "password": "******", "password_confirm": "bar", "email": "*****@*****.**", "code": "abc123", } self.client.post(reverse("account_signup"), data) return EmailConfirmation.objects.get()
def test_post_success(self): self.signup() data = { "username": "******", "password": "******", } response = self.client.post(reverse("account_login"), data) self.assertRedirects(response, settings.ACCOUNT_LOGIN_REDIRECT_URL, fetch_redirect_response=False)
def test_get_reset(self): user, url = self.request_password_reset() response = self.client.get(url) self.assertRedirects(response, reverse("account_password_reset_token", kwargs={ "uidb36": int_to_base36(user.id), "token": INTERNAL_RESET_URL_TOKEN, }), fetch_redirect_response=False)
def test_get_bad_user(self): url = reverse( "account_password_reset_token", kwargs={ "uidb36": int_to_base36(100), "token": "notoken", } ) response = self.client.get(url) self.assertEqual(response.status_code, 404)
def test_get_not_expired(self): """ Ensure authenticated user can retrieve account settings page without "password change" redirect. """ self.client.login(username=self.username, password=self.password) # get account settings page (could be any application page) response = self.client.get(reverse("account_settings")) self.assertEquals(response.status_code, 200)
def test_get_next_url(self): next_url = "/next-url/" data = { "username": "******", "password": "******", "password_confirm": "bar", "email": "*****@*****.**", } response = self.client.post("{}?next={}".format(reverse("account_signup"), next_url), data) self.assertRedirects(response, next_url, fetch_redirect_response=False)
def test_closed(self): with self.settings(ACCOUNT_OPEN_SIGNUP=False): data = { "username": "******", "password": "******", "password_confirm": "bar", "email": "*****@*****.**", } response = self.client.post(reverse("account_signup"), data) self.assertEqual(response.status_code, 200) self.assertEqual(response.template_name, "account/signup_closed.html")
def signup(self): data = { "username": "******", "password": "******", "password_confirm": "bar", "email": "*****@*****.**", "code": "abc123", } self.client.post(reverse("account_signup"), data) mail.outbox = [] return User.objects.get(username="******")
def test_created_user(self): data = { "password": "******", "password_confirm": "bar", "email": "*****@*****.**", } self.client.post(reverse("account_signup"), data) user = User.objects.get(email="*****@*****.**") self.assertEqual(user.username, "*****@*****.**") self.assertEqual(user.email, "*****@*****.**")
def test_get_no_history(self): """ Ensure authenticated user without password history can retrieve account settings page without "password change" redirect. """ self.client.login(username=self.username, password=self.password) with override_settings(ACCOUNT_PASSWORD_USE_HISTORY=True): # get account settings page (could be any application page) response = self.client.get(reverse("account_settings")) self.assertEquals(response.status_code, 200)
def test_get_abuse_reset_token(self): user = self.signup() url = reverse("account_password_reset_token", kwargs={ "uidb36": int_to_base36(user.id), "token": INTERNAL_RESET_URL_TOKEN, }) response = self.client.get(url) self.assertEqual(response.status_code, 200) self.assertTemplateUsed(response, PasswordResetTokenView.template_name_fail)
def test_get_next_url(self): next_url = "/next-url/" data = { "username": "******", "password": "******", "password_confirm": "bar", "email": "*****@*****.**", } response = self.client.post( "{}?next={}".format(reverse("account_signup"), next_url), data) self.assertRedirects(response, next_url, fetch_redirect_response=False)
def test_get_expired(self): """ Ensure authenticated user is redirected to change password when retrieving account settings page if password is expired. """ # set PasswordHistory timestamp in past so password is expired. self.history.timestamp = datetime.datetime.now( tz=pytz.UTC) - datetime.timedelta(days=1, seconds=self.expiry.expiry) self.history.save() self.client.login(username=self.username, password=self.password) # get account settings page (could be any application page) url_name = "account_settings" response = self.client.get(reverse(url_name)) # verify desired page is set as "?next=" in redirect URL redirect_url = "{}?next={}".format(reverse("account_password"), url_name) self.assertRedirects(response, redirect_url)
def test_post_success(self): self.signup() data = { "username": "******", "password": "******", } response = self.client.post(reverse("account_login"), data) self.assertRedirects( response, settings.ACCOUNT_LOGIN_REDIRECT_URL, fetch_redirect_response=False )
def test_get_abuse_reset_token(self): user = self.signup() url = reverse( "account_password_reset_token", kwargs={ "uidb36": int_to_base36(user.id), "token": INTERNAL_RESET_URL_TOKEN, } ) response = self.client.get(url) self.assertEqual(response.status_code, 200) self.assertTemplateUsed(response, PasswordResetTokenView.template_name_fail)
def test_post_reset(self): user, url = self.request_password_reset() response = self.client.get(url) self.assertEqual(response.status_code, 302) data = { "password": "******", "password_confirm": "new-password", } response = self.client.post(response["Location"], data) self.assertRedirects(response, reverse( settings.ACCOUNT_PASSWORD_RESET_REDIRECT_URL), fetch_redirect_response=False)
def test_valid_code(self): signup_code = SignupCode.create() signup_code.save() with self.settings(ACCOUNT_OPEN_SIGNUP=False): data = { "username": "******", "password": "******", "password_confirm": "bar", "email": "*****@*****.**", "code": signup_code.code, } response = self.client.post(reverse("account_signup"), data) self.assertEqual(response.status_code, 302)
def test_session_next_url(self): next_url = "/next-url/" session = self.client.session session["redirect_to"] = next_url session.save() data = { "username": "******", "password": "******", "password_confirm": "bar", "email": "*****@*****.**", } response = self.client.post(reverse("account_signup"), data) self.assertRedirects(response, next_url, fetch_redirect_response=False)
def test_post_authenticated(self): User.objects.create_user("foo", password="******") self.client.login(username="******", password="******") with self.settings(ACCOUNT_LOGIN_REDIRECT_URL="/logged-in/"): data = { "username": "******", "password": "******", "password_confirm": "bar", "email": "*****@*****.**", "code": "abc123", } response = self.client.post(reverse("account_signup"), data) self.assertEqual(response.status_code, 404)
def test_get_reset(self): user, url = self.request_password_reset() response = self.client.get(url) self.assertRedirects( response, reverse( "account_password_reset_token", kwargs={ "uidb36": int_to_base36(user.id), "token": "set-password", } ), fetch_redirect_response=False )
def test_post_reset(self): user, url = self.request_password_reset() response = self.client.get(url) self.assertEqual(response.status_code, 302) data = { "password": "******", "password_confirm": "new-password", } response = self.client.post(response["Location"], data) self.assertRedirects( response, reverse(settings.ACCOUNT_PASSWORD_RESET_REDIRECT_URL), fetch_redirect_response=False )
def test_register_with_moderation(self): signup_code = SignupCode.create() signup_code.save() with self.settings(ACCOUNT_OPEN_SIGNUP=True, ACCOUNT_APPROVAL_REQUIRED=True): data = { "username": "******", "password": "******", "password_confirm": "bar", "email": "*****@*****.**", "code": signup_code.code, } response = self.client.post(reverse("account_signup"), data) self.assertEqual(response.status_code, 200) self.assertFalse(self.client.session.get('_auth_user_id')) u = User.objects.get(username=data['username']) self.assertFalse(u.is_active)