From a89df96132a897b1ac31da8719cd6dc0d621cc13 Mon Sep 17 00:00:00 2001 From: Sebastian Spaeth Date: Mon, 7 Jan 2013 10:17:52 +0100 Subject: Restructure ForgotPassword view 1) Remove mongo limitations (no 'or' when querying for either username or email). 2) Lost password function revealed if an user name or email address is registered, which can be considered a data leak. Leaking user names is OK, they are public anyway, but don't reveal lookup success in case the lookup happened by email address. Simply respond: "If you have an account here, we have send you your email"? 3) username and email search was case sensitive. Made username search case insensitive (they are always stored lowercase in the db). Keep email-address search case sensitive for now. This might need further discussion 4) Remove a whole bunch of indention in the style of: if no error: ... if no error: ... if no error: actually do something in the regular case by restructuring the function. 5) Outsource the sanity checking for username and email fields into the validator function. This way, we get automatic case sanity checking and sanitizing for all required fields. 6) Require 5-char password and fix tests Originally, the Change password form required a password between 6-30 chars while the registration and login form did not require anything special. This commit introduces a common minimum limit for all forms which breaks the test suite which uses a 5 char password by default. :-). As 5 chars seem sensible enough to enforce (people should be picking much longer ones anyway), just reduce the limit to 5 chars, thereby making all tests pass. Signed-off-by: Sebastian Spaeth --- mediagoblin/tests/test_auth.py | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) (limited to 'mediagoblin/tests/test_auth.py') diff --git a/mediagoblin/tests/test_auth.py b/mediagoblin/tests/test_auth.py index 103bea6b..f4409121 100644 --- a/mediagoblin/tests/test_auth.py +++ b/mediagoblin/tests/test_auth.py @@ -105,10 +105,8 @@ def test_register_views(test_app): context = template.TEMPLATE_TEST_CONTEXT['mediagoblin/auth/register.html'] form = context['register_form'] - assert form.username.errors == [ - u'Field must be between 3 and 30 characters long.'] - assert form.password.errors == [ - u'Field must be between 6 and 30 characters long.'] + assert_equal (form.username.errors, [u'Field must be between 3 and 30 characters long.']) + assert_equal (form.password.errors, [u'Field must be between 5 and 1024 characters long.']) ## bad form template.clear_test_template_context() @@ -119,10 +117,8 @@ def test_register_views(test_app): context = template.TEMPLATE_TEST_CONTEXT['mediagoblin/auth/register.html'] form = context['register_form'] - assert form.username.errors == [ - u'Invalid input.'] - assert form.email.errors == [ - u'Invalid email address.'] + assert_equal (form.username.errors, [u'This field does not take email addresses.']) + assert_equal (form.email.errors, [u'This field requires an email address.']) ## At this point there should be no users in the database ;) assert_equal(User.query.count(), 0) @@ -370,7 +366,7 @@ def test_authentication_views(): response = test_app.post( '/auth/login/', { 'username': u'chris', - 'password': 'jam'}) + 'password': 'jam_and_ham'}) context = template.TEMPLATE_TEST_CONTEXT['mediagoblin/auth/login.html'] assert context['login_failed'] -- cgit v1.2.3