feat(controller): allow admins to change a user's password.

Author: Joshua Anderson

api/__init__.py

@@ -2,4 +2,4 @@
 The **api** Django app presents a RESTful web API for interacting with the **deis** system.
 """
 
-__version__ = '1.5.0'
+__version__ = '1.6.0'

api/tests/test_auth.py

@@ -251,12 +251,11 @@ def test_change_user_passwd(self):
         new_password = 'password'
         submit = {
             'username': self.user1.username,
-            'password': old_password,
             'new_password': new_password,
         }
         response = self.client.post(url, json.dumps(submit), content_type='application/json',
                                     HTTP_AUTHORIZATION='token {}'.format(self.admin_token))
-        self.assertEqual(response.status_code, 400)
+        self.assertEqual(response.status_code, 200)
         # test login with old password
         url = '/v1/auth/login/'
         payload = urllib.urlencode({'username': self.user1.username, 'password': old_password})
@@ -268,16 +267,22 @@ def test_change_user_passwd(self):
         response = self.client.post(url, data=payload,
                                     content_type='application/x-www-form-urlencoded')
         self.assertEqual(response.status_code, 200)
-        # try to change back password with a regular user
-        submit['password'], submit['new_password'] = submit['new_password'], submit['password']
+        # Non-admins can't change another user's password
+        submit['password'], submit['new_password'] = submit['new_password'], old_password
         url = '/v1/auth/passwd'
         response = self.client.post(url, json.dumps(submit), content_type='application/json',
                                     HTTP_AUTHORIZATION='token {}'.format(self.user2_token))
         self.assertEqual(response.status_code, 403)
-        # however, targeting yourself should be fine.
+        # change back password with a regular user
         response = self.client.post(url, json.dumps(submit), content_type='application/json',
                                     HTTP_AUTHORIZATION='token {}'.format(self.user1_token))
         self.assertEqual(response.status_code, 200)
+        # test login with new password
+        url = '/v1/auth/login/'
+        payload = urllib.urlencode({'username': self.user1.username, 'password': old_password})
+        response = self.client.post(url, data=payload,
+                                    content_type='application/x-www-form-urlencoded')
+        self.assertEqual(response.status_code, 200)
 
     def test_regenerate(self):
         """ Test that token regeneration works"""

api/views.py

@@ -37,18 +37,20 @@ def get_object(self):
         return self.get_queryset()[0]
 
     def passwd(self, request, **kwargs):
-        obj = self.get_object()
+        caller_obj = self.get_object()
+        target_obj = self.get_object()
         if request.data.get('username'):
             # if you "accidentally" target yourself, that should be fine
-            if obj.username == request.data['username'] or obj.is_superuser:
-                obj = get_object_or_404(User, username=request.data['username'])
+            if caller_obj.username == request.data['username'] or caller_obj.is_superuser:
+                target_obj = get_object_or_404(User, username=request.data['username'])
             else:
                 raise PermissionDenied()
-        if not obj.check_password(request.data['password']):
-            return Response({'detail': 'Current password does not match'},
-                            status=status.HTTP_400_BAD_REQUEST)
-        obj.set_password(request.data['new_password'])
-        obj.save()
+        if request.data.get('password') or not caller_obj.is_superuser:
+            if not target_obj.check_password(request.data['password']):
+                return Response({'detail': 'Current password does not match'},
+                                status=status.HTTP_400_BAD_REQUEST)
+        target_obj.set_password(request.data['new_password'])
+        target_obj.save()
         return Response({'status': 'password set'})