def test_forgotten_password_full_process(self, app, db_session, smtplib):
p = PersonFactory(activated=False)
db_session.commit()
# get the login page
resp = app.get(url_for(controller='person', action='signin', id=None))
# click on the forgotten password link
resp = resp.click('Forgotten your password?')
f = resp.forms[1] # TODO: Fragile, Persona is [0]
f['email_address'] = p.email_address
f.submit()
# check that the confirmation record was created
crecs = PasswordResetConfirmation.find_by_email(p.email_address)
assert crecs is not None
# check our email
assert smtplib.existing != None
# check to address
to_match = re.match(r'^.*To:.*' + p.email_address,
smtplib.existing.message, re.DOTALL)
assert to_match != None
# check that the email has no HTML in it and thus was not rendered
# incorrectly
html_match = re.match(r'^.*<!DOCTYPE', smtplib.existing.message,
re.DOTALL)
assert html_match == None
# check that the message has a url hash in it
url_match = re.match(r'^.*(/person/reset_password/\S+)',
smtplib.existing.message, re.DOTALL)
assert url_match != None
# ok go to the URL, on treadmills
resp = app.get(url_match.group(1))
# set password
f = resp.form
f['password'] = '******'
f['password_confirm'] = 'passwdtest'
resp = f.submit(extra_environ=dict(REMOTE_ADDR='0.0.0.0'))
# Need to forget the objects we created, save ones that need saving
pid = p.id
old_hash = p.password_hash
db_session.expunge_all()
# check that the password was changed
p = Person.find_by_id(pid)
assert p.password_hash != old_hash
# check that the confirmatin record is gone
crecs = PasswordResetConfirmation.find_by_email(p.email_address)
assert crecs is None
def test_forgotten_password_full_process(self, app, db_session, smtplib):
p = PersonFactory(activated=False)
db_session.commit()
# get the login page
resp = app.get(url_for(controller='person', action='signin', id=None))
# click on the forgotten password link
resp = resp.click('Forgotten your password?')
f = resp.forms['pwreset-form']
f['email_address'] = p.email_address
f.submit()
# check that the confirmation record was created
crecs = PasswordResetConfirmation.find_by_email(p.email_address)
assert crecs is not None
# check our email
assert smtplib.existing != None
# check to address
to_match = re.match(r'^.*To:.*' + p.email_address, smtplib.existing.message, re.DOTALL)
assert to_match != None
# check that the email has no HTML in it and thus was not rendered
# incorrectly
html_match = re.match(r'^.*<!DOCTYPE', smtplib.existing.message, re.DOTALL)
assert html_match == None
# check that the message has a url hash in it
url_match = re.match(r'^.*(/person/reset_password/\S+)', smtplib.existing.message, re.DOTALL)
assert url_match != None
# ok go to the URL, on treadmills
resp = app.get(url_match.group(1))
# set password
f = resp.forms['reset-form']
f['password'] = '******'
f['password_confirm'] = 'passwdtest'
resp = f.submit(extra_environ=dict(REMOTE_ADDR='0.0.0.0'))
# Need to forget the objects we created, save ones that need saving
pid = p.id
old_hash = p.password_hash
db_session.expunge_all()
# check that the password was changed
p = Person.find_by_id(pid)
assert p.password_hash != old_hash
# check that the confirmatin record is gone
crecs = PasswordResetConfirmation.find_by_email(p.email_address)
assert crecs is None
def test_confirm_old_url_hash(self, app, db_session):
"""Test that old url_hashes are caught"""
stamp = datetime.now() - timedelta(days=1.1)
c = PasswordResetConfirmationFactory(timestamp = stamp)
db_session.commit()
resp = app.get(url_for(controller='person',
action='reset_password',
url_hash=c.url_hash))
# TODO: Ensure confirm must match
# Prompted to enter new password
f = resp.forms['reset-form']
f['password'] = '******'
f['password_confirm'] = 'test'
resp = f.submit(extra_environ=dict(REMOTE_ADDR='0.0.0.0'))
# check for warning
assert "This password recovery session has expired" in unicode(resp.body, 'utf-8')
# Need to forget the objects we created
db_session.expunge_all()
# Outstanding confirmation should be gone
crecs = PasswordResetConfirmation.find_by_email(c.email_address)
assert crecs is None
def test_confirm_old_url_hash(self, app, db_session):
"""Test that old url_hashes are caught"""
stamp = datetime.now() - timedelta(days=1.1)
c = PasswordResetConfirmationFactory(timestamp=stamp)
db_session.commit()
resp = app.get(
url_for(controller='person',
action='reset_password',
url_hash=c.url_hash))
# TODO: Ensure confirm must match
# Prompted to enter new password
f = resp.form
f['password'] = '******'
f['password_confirm'] = 'test'
resp = f.submit(extra_environ=dict(REMOTE_ADDR='0.0.0.0'))
# check for warning
assert "This password recovery session has expired" in unicode(
resp.body, 'utf-8')
# Need to forget the objects we created
db_session.expunge_all()
# Outstanding confirmation should be gone
crecs = PasswordResetConfirmation.find_by_email(c.email_address)
assert crecs is None
def test_duplicate_password_reset(self, app, db_session, smtplib):
"""Try to reset a password twice. """
p = PersonFactory()
db_session.commit()
resp = app.get(url_for(controller='person', action='signin'))
resp = resp.click('Forgotten your password?')
f = resp.forms['pwreset-form']
f['email_address'] = p.email_address
f.submit()
crec = PasswordResetConfirmation.find_by_email(p.email_address)
assert crec is not None
# submit a second time
resp = f.submit()
assert "password recovery process is already in progress" in unicode(resp.body, 'utf-8')
def test_duplicate_password_reset(self, app, db_session, smtplib):
"""Try to reset a password twice. """
p = PersonFactory()
db_session.commit()
resp = app.get(url_for(controller='person', action='signin'))
resp = resp.click('Forgotten your password?')
f = resp.forms[1]
f['email_address'] = p.email_address
f.submit()
crec = PasswordResetConfirmation.find_by_email(p.email_address)
assert crec is not None
# submit a second time
resp = f.submit()
assert "password recovery process is already in progress" in unicode(
resp.body, 'utf-8')
def test_confirm_reset(self, app, db_session):
"""Test confirmation of a password reset that should succeed"""
# create a confirmation record
p = PersonFactory()
# set the timestamp to just under 24 hours ago
stamp = datetime.now() - timedelta(days=0.9)
c = PasswordResetConfirmationFactory(email_address=p.email_address,
timestamp=stamp)
db_session.commit()
resp = app.get(
url_for(controller='person',
action='reset_password',
url_hash=c.url_hash))
# showing the email on the page
assert c.email_address in unicode(resp.body, 'utf-8')
f = resp.form
f['password'] = '******'
f['password_confirm'] = 'test'
resp = f.submit(extra_environ=dict(REMOTE_ADDR='0.0.0.0'))
resp = resp.maybe_follow()
# check for success
assert "Your password has been updated" in unicode(resp.body, 'utf-8')
# Need to forget the objects we created, save portions we need
pid = p.id
old_password_hash = p.password_hash
db_session.expunge_all()
# conf rec should be gone
crecs = PasswordResetConfirmation.find_by_email(c.email_address)
assert crecs is None
# password should be changed
p = Person.find_by_id(pid)
assert p.password_hash == old_password_hash
def test_confirm_reset(self, app, db_session):
"""Test confirmation of a password reset that should succeed"""
# create a confirmation record
p = PersonFactory()
# set the timestamp to just under 24 hours ago
stamp = datetime.now() - timedelta(days=0.9)
c = PasswordResetConfirmationFactory(email_address=p.email_address, timestamp=stamp)
db_session.commit()
resp = app.get(url_for(controller='person',
action='reset_password',
url_hash=c.url_hash))
# showing the email on the page
assert c.email_address in unicode(resp.body, 'utf-8')
f = resp.forms['reset-form']
f['password'] = '******'
f['password_confirm'] = 'test'
resp = f.submit(extra_environ=dict(REMOTE_ADDR='0.0.0.0'))
resp = resp.maybe_follow()
# check for success
assert "Your password has been updated" in unicode(resp.body, 'utf-8')
# Need to forget the objects we created, save portions we need
pid = p.id
old_password_hash = p.password_hash
db_session.expunge_all()
# conf rec should be gone
crecs = PasswordResetConfirmation.find_by_email(c.email_address)
assert crecs is None
# password should be changed
p = Person.find_by_id(pid)
assert p.password_hash == old_password_hash
