Added password reset to control.auth

2026-05-04 15:04:03 +00:00 · 2015-10-04 13:52:08 +02:00
parent 4e8707635f
commit c47008cc18
14 changed files with 353 additions and 67 deletions
--- a/src/tests/control/test_auth.py
+++ b/src/tests/control/test_auth.py
@@ -1,4 +1,11 @@
-from django.test import Client, TestCase
+from datetime import date, timedelta
+
+from django.conf import settings
+from django.contrib.auth.tokens import (
+    PasswordResetTokenGenerator, default_token_generator,
+)
+from django.core import mail as djmail
+from django.test import TestCase
 from tests.base import BrowserTest

 from pretix.base.models import User
@@ -123,3 +130,122 @@ class RegistrationFormTest(TestCase):
            'password_repeat': 'foo'
        })
        self.assertEqual(response.status_code, 302)
+
+
+class PasswordRecoveryFormTest(TestCase):
+    def setUp(self):
+        super().setUp()
+        self.user = User.objects.create_user('demo@demo.dummy', 'demo')
+
+    def test_unknown(self):
+        response = self.client.post('/control/forgot', {
+            'email': 'dummy@dummy.dummy',
+            })
+        self.assertEqual(response.status_code, 200)
+
+    def test_email_sent(self):
+        djmail.outbox = []
+
+        response = self.client.post('/control/forgot', {
+            'email': 'demo@demo.dummy',
+            })
+        self.assertEqual(response.status_code, 302)
+
+        assert len(djmail.outbox) == 1
+        assert djmail.outbox[0].to == [self.user.email]
+        assert "recover?id=%d&token=" % self.user.id in djmail.outbox[0].body
+
+    def test_recovery_unknown_user(self):
+        response = self.client.get('/control/forgot/recover?id=0&token=foo')
+        self.assertEqual(response.status_code, 302)
+        response = self.client.post(
+            '/control/forgot/recover?id=0&token=foo',
+            {
+                'password': 'foobar',
+                'password_repeat': 'foobar'
+            }
+        )
+        self.assertEqual(response.status_code, 302)
+        self.user = User.objects.get(id=self.user.id)
+        self.assertTrue(self.user.check_password('demo'))
+
+    def test_recovery_invalid_token(self):
+        response = self.client.get('/control/forgot/recover?id=%d&token=foo' % self.user.id)
+        self.assertEqual(response.status_code, 302)
+        response = self.client.post(
+            '/control/forgot/recover?id=%d&token=foo' % self.user.id,
+            {
+                'password': 'foobar',
+                'password_repeat': 'foobar'
+            }
+        )
+        self.assertEqual(response.status_code, 302)
+        self.user = User.objects.get(id=self.user.id)
+        self.assertTrue(self.user.check_password('demo'))
+
+    def test_recovery_expired_token(self):
+        class Mocked(PasswordResetTokenGenerator):
+            def _today(self):
+                return date.today() - timedelta(settings.PASSWORD_RESET_TIMEOUT_DAYS + 1)
+
+        generator = Mocked()
+        token = generator.make_token(self.user)
+        response = self.client.get(
+            '/control/forgot/recover?id=%d&token=%s' % (self.user.id, token)
+        )
+        self.assertEqual(response.status_code, 302)
+        response = self.client.post(
+            '/control/forgot/recover?id=%d&token=%s' % (self.user.id, token),
+            {
+                'password': 'foobar',
+                'password_repeat': 'foobar'
+            }
+        )
+        self.assertEqual(response.status_code, 302)
+        self.user = User.objects.get(id=self.user.id)
+        self.assertTrue(self.user.check_password('demo'))
+
+    def test_recovery_valid_token_success(self):
+        token = default_token_generator.make_token(self.user)
+        response = self.client.get('/control/forgot/recover?id=%d&token=%s' % (self.user.id, token))
+        self.assertEqual(response.status_code, 200)
+        response = self.client.post(
+            '/control/forgot/recover?id=%d&token=%s' % (self.user.id, token),
+            {
+                'password': 'foobar',
+                'password_repeat': 'foobar'
+            }
+        )
+        self.assertEqual(response.status_code, 302)
+        self.user = User.objects.get(id=self.user.id)
+        self.assertTrue(self.user.check_password('foobar'))
+
+    def test_recovery_valid_token_empty_passwords(self):
+        token = default_token_generator.make_token(self.user)
+        response = self.client.get('/control/forgot/recover?id=%d&token=%s' % (self.user.id, token))
+        self.assertEqual(response.status_code, 200)
+        response = self.client.post(
+            '/control/forgot/recover?id=%d&token=%s' % (self.user.id, token),
+            {
+                'password': '',
+                'password_repeat': 'foobar'
+            }
+        )
+        self.assertEqual(response.status_code, 200)
+        self.user = User.objects.get(id=self.user.id)
+        self.assertTrue(self.user.check_password('demo'))
+
+    def test_recovery_valid_token_different_passwords(self):
+        token = default_token_generator.make_token(self.user)
+        response = self.client.get('/control/forgot/recover?id=%d&token=%s' % (self.user.id, token))
+        self.assertEqual(response.status_code, 200)
+        response = self.client.post(
+            '/control/forgot/recover?id=%d&token=%s' % (self.user.id, token),
+            {
+                'password': 'foo',
+                'password_repeat': 'foobar'
+            }
+        )
+        self.assertEqual(response.status_code, 200)
+        self.user = User.objects.get(id=self.user.id)
+        self.assertTrue(self.user.check_password('demo'))