return to account_management view if edit-profile form does not receive a next_url parameter (fixes #23049)

Fallback in get_sucess_url() was not tested, if it was it would have shown that get_success_url() cannot return a view name, but only URLs and paths.
2018-04-10 00:12:05 +02:00 · 2018-04-10 00:12:05 +02:00 · b3f89132ce
parent 85545e5d35
commit b3f89132ce
2 changed files with 17 additions and 2 deletions
--- a/src/authentic2/views.py
+++ b/src/authentic2/views.py
@ -136,7 +136,7 @@ class EditProfile(cbv.HookMixin, cbv.TemplateNamesMixin, UpdateView):
        field_name = 'edit-profile-next_url'
        if self.request.method == 'POST' and field_name in self.request.POST:
            return self.request.POST[field_name]
-        return 'account_management'
+        return reverse('account_management')

    def post(self, request, *args, **kwargs):
        if 'cancel' in request.POST:
--- a/tests/test_profile.py
+++ b/tests/test_profile.py
@ -14,8 +14,22 @@ def test_account_edit_view(app, simple_user):
    url = reverse('profile_edit')
    resp = app.get(url, status=200)

-    attribute = Attribute.objects.create(name='phone', label='phone',
+    attribute = Attribute.objects.create(
+        name='phone', label='phone',
        kind='string', user_visible=True, user_editable=True)
+
+    resp = app.get(url, status=200)
+    resp = app.post(url, params={
+                        'csrfmiddlewaretoken': resp.form['csrfmiddlewaretoken'].value,
+                        'edit-profile-first_name': resp.form['edit-profile-first_name'].value,
+                        'edit-profile-last_name': resp.form['edit-profile-last_name'].value,
+                        'edit-profile-phone': '1234'
+                    },
+                    status=302)
+    # verify that missing next_url in POST is ok
+    assert resp['Location'].endswith(reverse('account_management'))
+    assert attribute.get_value(simple_user) == '1234'
+
    resp = app.get(url, status=200)
    resp.form.set('edit-profile-phone', '0123456789')
    resp = resp.form.submit().follow()
@ -52,6 +66,7 @@ def test_account_edit_next_url(app, simple_user, external_redirect_next_url, ass
        name='phone', label='phone',
        kind='string', user_visible=True,
        user_editable=True)
+
    resp = app.get(url + '?next=%s' % external_redirect_next_url, status=200)
    resp.form.set('edit-profile-phone', '0123456789')
    resp = resp.form.submit()