Andal.LND/edx-platform
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: remove check for password reset API if request is comming from support tools

Browse Source
This commit is contained in:
aliadnan
2022-03-03 01:41:13 +05:00
committed by Ali Adnan
parent 4018b2672a
commit b1b5281f2b
2 changed files with 53 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
openedx/core/djangoapps/user_authn/views/password_reset.py
View File

@@ -601,14 +601,15 @@ def password_change_request_handler(request):
"""
user = request.user
if (user.is_staff or user.is_superuser) and request.POST.get('email_from_support_tools'):
request_from_support_tools = (user.is_staff or user.is_superuser) and request.POST.get('email_from_support_tools')
if request_from_support_tools:
email = request.POST.get('email_from_support_tools')
else:
# Prefer logged-in user's email
email = user.email if user.is_authenticated else request.POST.get('email')
AUDIT_LOG.info("Password reset initiated for email %s.", email)
if getattr(request, 'limited', False):
if getattr(request, 'limited', False) and not request_from_support_tools:
AUDIT_LOG.warning("Password reset rate limit exceeded for email %s.", email)
return HttpResponse(
_("Your previous request is in progress, please try again in a few moments."),

51
openedx/core/djangoapps/user_authn/views/tests/test_reset_password.py
View File

@@ -34,7 +34,7 @@ from openedx.core.djangoapps.user_api.tests.test_views import UserAPITestCase
from openedx.core.djangoapps.user_api.accounts import EMAIL_MAX_LENGTH, EMAIL_MIN_LENGTH
from openedx.core.djangoapps.user_authn.views.password_reset import (
SETTING_CHANGE_INITIATED, password_reset, LogistrationPasswordResetView,
PasswordResetConfirmWrapper)
PasswordResetConfirmWrapper, password_change_request_handler)
from openedx.core.djangolib.testing.utils import CacheIsolationTestCase
from common.djangoapps.student.tests.factories import TEST_PASSWORD, UserFactory
from common.djangoapps.student.tests.test_configuration_overrides import fake_get_value
@@ -180,6 +180,55 @@ class ResetPasswordTests(EventTestMixin, CacheIsolationTestCase):
cache.clear()
@patch("openedx.core.djangoapps.user_authn.views.password_reset.request_password_change", Mock(return_value=None))
def test_password_change_non_staff_user(self):
"""
Test that password reset endpoint does not allow more than 1 call for non staff users.
"""
cache.clear()
password_reset_req = self.request_factory.post(
'/account/password/',
{'email': self.user.email, 'email_from_support_tools': self.user.email},
)
password_reset_req.user = self.user
password_reset_req.is_secure = Mock(return_value=True)
good_resp = password_change_request_handler(password_reset_req)
assert good_resp.status_code == 200
bad_resp = password_change_request_handler(password_reset_req)
assert bad_resp.status_code == 403
assert bad_resp.content == b'Your previous request is in progress, please try again in a few moments.'
cache.clear()
@patch("openedx.core.djangoapps.user_authn.views.password_reset.request_password_change", Mock(return_value=None))
def test_password_change_staff_user(self):
"""
Test that password reset endpoint allow multiple requests for staff users.
"""
cache.clear()
password_reset_req = self.request_factory.post(
'/account/password/',
{'email': self.user.email, 'email_from_support_tools': self.user.email},
)
self.user.is_staff = True
password_reset_req.user = self.user
password_reset_req.is_secure = Mock(return_value=True)
good_resp = password_change_request_handler(password_reset_req)
assert good_resp.status_code == 200
good_resp = password_change_request_handler(password_reset_req)
assert good_resp.status_code == 200
good_resp = password_change_request_handler(password_reset_req)
assert good_resp.status_code == 200
good_resp = password_change_request_handler(password_reset_req)
assert good_resp.status_code == 200
cache.clear()
def assert_email_sent_successfully(self, expected):
"""
Verify that the password confirm email has been sent to the user.