From 433477abe412615309b3d9a15d7db07cb5dfce9a Mon Sep 17 00:00:00 2001
From: Joshua Spayd <jds9496@gmail.com>
Date: Mon, 17 Jul 2017 22:45:35 +0000
Subject: [PATCH] Hide passwords in register/login crash reports

Includes code for testing to be removed in the next commit.
---
 lms/envs/devstack.py                      |  3 ++
 openedx/core/djangoapps/user_api/views.py | 51 +++++++++++++++++++++++
 2 files changed, 54 insertions(+)

diff --git a/lms/envs/devstack.py b/lms/envs/devstack.py
index 909259f278..51fe771120 100644
--- a/lms/envs/devstack.py
+++ b/lms/envs/devstack.py
@@ -277,3 +277,6 @@ if os.path.isfile(join(dirname(abspath(__file__)), 'private.py')):
 MODULESTORE = convert_module_store_setting_if_needed(MODULESTORE)
 
 SECRET_KEY = '85920908f28904ed733fe576320db18cabd7b6cd'
+# Begin test code
+ADMINS=[('Name', 'test@example.com')]
+# End test code
diff --git a/openedx/core/djangoapps/user_api/views.py b/openedx/core/djangoapps/user_api/views.py
index 0eb83d88fa..6d5ac4f281 100644
--- a/openedx/core/djangoapps/user_api/views.py
+++ b/openedx/core/djangoapps/user_api/views.py
@@ -9,6 +9,7 @@ from django.http import HttpResponse, HttpResponseForbidden
 from django.utils.decorators import method_decorator
 from django.utils.translation import ugettext as _
 from django.views.decorators.csrf import csrf_exempt, csrf_protect, ensure_csrf_cookie
+from django.views.decorators.debug import sensitive_post_parameters
 from django_countries import countries
 from django_filters.rest_framework import DjangoFilterBackend
 from opaque_keys import InvalidKeyError
@@ -44,6 +45,32 @@ from .models import UserPreference, UserProfile
 from .preferences.api import get_country_time_zones, update_email_opt_in
 from .serializers import CountryTimeZoneSerializer, UserPreferenceSerializer, UserSerializer
 
+# Begin test code
+import sys
+import traceback
+from django.core import mail
+from django.views.debug import ExceptionReporter
+from django.views.debug import SafeExceptionReporterFilter
+
+# Necessary for testing because SafeExceptionReporterFilter is only active in production mode
+class CustomExceptionReporterFilter(SafeExceptionReporterFilter):
+    def is_active(self, request):
+        return True
+
+def send_manually_exception_email(request, e):
+    exc_info = sys.exc_info()
+    reporter = ExceptionReporter(request, is_email=True, *exc_info)
+    reporter.filter = CustomExceptionReporterFilter()
+    subject = e.message.replace('\n', '\\n').replace('\r', '\\r')[:989]
+    message = "%s\n\n%s" % (
+        '\n'.join(traceback.format_exception(*exc_info)),
+        reporter.filter.get_request_repr(request)
+    )
+    mail.mail_admins(
+        subject, message, fail_silently=True,
+        html_message=reporter.get_traceback_html()
+    )
+# End test code
 
 class LoginSessionView(APIView):
     """HTTP end-points for logging in users. """
@@ -122,6 +149,14 @@ class LoginSessionView(APIView):
     @method_decorator(require_post_params(["email", "password"]))
     @method_decorator(csrf_protect)
     def post(self, request):
+        # Begin test code
+        try:
+            raise Exception
+        except Exception as e:
+            request.META['SERVER_NAME'] = 'blah'
+            request.META['SERVER_PORT'] = 18010
+            send_manually_exception_email(request, e)
+        # End test code
         """Log in a user.
 
         You must send all required form fields with the request.
@@ -156,6 +191,10 @@ class LoginSessionView(APIView):
         from student.views import login_user
         return shim_student_view(login_user, check_logged_in=True)(request)
 
+    @method_decorator(sensitive_post_parameters("password"))
+    def dispatch(self, request, *args, **kwargs):
+        return super(LoginSessionView, self).dispatch(request, *args, **kwargs)
+
 
 class RegistrationView(APIView):
     """HTTP end-points for creating a new user. """
@@ -308,6 +347,14 @@ class RegistrationView(APIView):
 
     @method_decorator(csrf_exempt)
     def post(self, request):
+        # Begin test code
+        try:
+            raise Exception
+        except Exception as e:
+            request.META['SERVER_NAME'] = 'blah'
+            request.META['SERVER_PORT'] = 18010
+            send_manually_exception_email(request, e)
+        # End test code
         """Create the user's account.
 
         You must send all required form fields with the request.
@@ -381,6 +428,10 @@ class RegistrationView(APIView):
         set_logged_in_cookies(request, response, user)
         return response
 
+    @method_decorator(sensitive_post_parameters("password"))
+    def dispatch(self, request, *args, **kwargs):
+        return super(RegistrationView, self).dispatch(request, *args, **kwargs)
+
     def _add_email_field(self, form_desc, required=True):
         """Add an email field to a form description.