urls: use uuid routing parameter for sms code opaque urls (#88044)
gitea/authentic/pipeline/head This commit looks good
Details
gitea/authentic/pipeline/head This commit looks good
Details
This commit is contained in:
parent
1831a84adf
commit
cb751d98f3
|
@ -57,8 +57,8 @@ accounts_urlpatterns = [
|
|||
path('change-email/', views.email_change, name='email-change'),
|
||||
path('change-email/verify/', views.email_change_verify, name='email-change-verify'),
|
||||
path('change-phone/', views.phone_change, name='phone-change'),
|
||||
re_path(
|
||||
'change-phone/verify/(?P<token>[A-Za-z0-9_ -]+)/$',
|
||||
path(
|
||||
'change-phone/verify/<uuid:token>/',
|
||||
views.phone_change_verify,
|
||||
name='phone-change-verify',
|
||||
),
|
||||
|
@ -120,8 +120,8 @@ urlpatterns = [
|
|||
TemplateView.as_view(template_name='registration/registration_closed.html'),
|
||||
name='registration_disallowed',
|
||||
),
|
||||
re_path(
|
||||
'^register/input_code/(?P<token>[A-Za-z0-9_ -]+)/$',
|
||||
path(
|
||||
'register/input_code/<uuid:token>/',
|
||||
views.input_sms_code,
|
||||
name='input_sms_code',
|
||||
),
|
||||
|
|
|
@ -415,9 +415,7 @@ phone_change = login_required(PhoneChangeView.as_view())
|
|||
|
||||
class PhoneChangeVerifyView(TemplateView):
|
||||
def get(self, request, *args, **kwargs):
|
||||
token = kwargs['token'].replace(' ', '')
|
||||
if not token:
|
||||
return shortcuts.redirect('phone-change')
|
||||
token = kwargs['token']
|
||||
authn = utils_misc.get_password_authenticator()
|
||||
user_ct = ContentType.objects.get_for_model(get_user_model())
|
||||
try:
|
||||
|
@ -1628,11 +1626,11 @@ class InputSMSCodeView(cbv.ValidateCSRFMixin, FormView):
|
|||
title = _('SMS code validation')
|
||||
|
||||
def dispatch(self, request, *args, **kwargs):
|
||||
token = kwargs.get('token')
|
||||
token = kwargs['token']
|
||||
try:
|
||||
self.code = models.SMSCode.objects.get(url_token=token)
|
||||
except models.SMSCode.DoesNotExist:
|
||||
return HttpResponseBadRequest(_('Invalid request'))
|
||||
raise Http404(_('Invalid token'))
|
||||
return super().dispatch(request, *args, **kwargs)
|
||||
|
||||
def get_context_data(self, **kwargs):
|
||||
|
|
|
@ -281,8 +281,14 @@ def test_change_phone_code_modified(app, nomail_user, user_ou1, phone_activated_
|
|||
resp.form.set('phone_1', '122446666')
|
||||
resp.form.set('password', nomail_user.username)
|
||||
resp = resp.form.submit()
|
||||
location = resp.location[:-5] + 'abcd/' # oops, something went wrong with the url token
|
||||
app.get(location, status=400)
|
||||
location = resp.location[:-5] + 'wxyz/' # oops, something went wrong with the url token
|
||||
app.get(location, status=404)
|
||||
assert not Token.objects.count()
|
||||
|
||||
location = (
|
||||
resp.location[:-5] + 'abcd/'
|
||||
) # oops, something went wrong again although it's a valid uuid format
|
||||
app.get(location, status=404)
|
||||
assert not Token.objects.count()
|
||||
|
||||
|
||||
|
|
|
@ -1026,6 +1026,25 @@ def test_phone_registration_wrong_code(app, db, settings, phone_activated_authn)
|
|||
assert resp.pyquery('li')[0].text_content() == 'Wrong SMS code.'
|
||||
|
||||
|
||||
@responses.activate
|
||||
def test_phone_registration_wrong_input_code_opaque_url(app, db, settings, phone_activated_authn):
|
||||
settings.SMS_URL = 'https://foo.whatever.none/'
|
||||
responses.post('https://foo.whatever.none/', status=200)
|
||||
|
||||
resp = app.get(reverse('registration_register'))
|
||||
resp.form.set('phone_1', '612345678')
|
||||
resp = resp.form.submit()
|
||||
location = resp.location[:-5] + 'wxyz/' # oops, something went wrong with the url token
|
||||
app.get(location, status=404)
|
||||
assert not Token.objects.count()
|
||||
|
||||
location = (
|
||||
resp.location[:-5] + 'abcd/'
|
||||
) # oops, something went wrong again although it's a valid uuid format
|
||||
app.get(location, status=404)
|
||||
assert not Token.objects.count()
|
||||
|
||||
|
||||
@responses.activate
|
||||
def test_phone_registration_expired_code(app, db, settings, freezer, phone_activated_authn):
|
||||
settings.SMS_URL = 'https://foo.whatever.none/'
|
||||
|
|
Loading…
Reference in New Issue