feat(controller): add username parameter to /v1/auth/passwd

Author: Matthew Fisher

api/fixtures/test_auth.json

@@ -16,5 +16,41 @@
         "email": "autotest@deis.io",
         "date_joined": "2013-05-10T16:08:09.357Z"
     }
+},
+{
+    "pk": 8,
+    "model": "auth.user",
+    "fields": {
+        "username": "autotest2",
+        "first_name": "Otto",
+        "last_name": "Test",
+        "is_active": true,
+        "is_superuser": false,
+        "is_staff": false,
+        "last_login": "2013-05-10T16:08:09.357Z",
+        "groups": [],
+        "user_permissions": [],
+        "password": "pbkdf2_sha256$10000$5Uoq7dl61vnN$gQhDpc2q2Rkn16VdPC+pNNEQcKpy+LGe29Zkad+2/m4=",
+        "email": "autotest@deis.io",
+        "date_joined": "2013-05-10T16:08:09.357Z"
+    }
+},
+{
+    "pk": 9,
+    "model": "auth.user",
+    "fields": {
+        "username": "autotest3",
+        "first_name": "Otto",
+        "last_name": "Test",
+        "is_active": true,
+        "is_superuser": false,
+        "is_staff": false,
+        "last_login": "2013-05-10T16:08:09.357Z",
+        "groups": [],
+        "user_permissions": [],
+        "password": "pbkdf2_sha256$10000$5Uoq7dl61vnN$gQhDpc2q2Rkn16VdPC+pNNEQcKpy+LGe29Zkad+2/m4=",
+        "email": "autotest@deis.io",
+        "date_joined": "2013-05-10T16:08:09.357Z"
+    }
 }
 ]

api/tests/test_auth.py

@@ -21,6 +21,14 @@ class AuthTest(TestCase):
 
     """Tests user registration, authentication and authorization"""
 
+    def setUp(self):
+        self.admin = User.objects.get(username='autotest')
+        self.admin_token = Token.objects.get(user=self.admin).key
+        self.user1 = User.objects.get(username='autotest2')
+        self.user1_token = Token.objects.get(user=self.user1).key
+        self.user2 = User.objects.get(username='autotest3')
+        self.user2_token = Token.objects.get(user=self.user2).key
+
     def test_auth(self):
         """
         Test that a user can register using the API, login and logout
@@ -98,10 +106,6 @@ def test_auth_registration_admin_only_fails_if_not_admin(self):
     @override_settings(REGISTRATION_MODE="admin_only")
     def test_auth_registration_admin_only_works(self):
         """test that a superuser can register when registration is admin only."""
-
-        user = User.objects.get(username='autotest')
-        token = Token.objects.get(user=user)
-
         url = '/v1/auth/register'
 
         username, password = 'newuser_by_admin', 'password'
@@ -119,7 +123,7 @@ def test_auth_registration_admin_only_works(self):
             'is_staff': True,
         }
         response = self.client.post(url, json.dumps(submit), content_type='application/json',
-                                    HTTP_AUTHORIZATION='token {}'.format(token))
+                                    HTTP_AUTHORIZATION='token {}'.format(self.admin_token))
 
         self.assertEqual(response.status_code, 201)
         for key in response.data:
@@ -236,3 +240,41 @@ def test_passwd(self):
         response = self.client.post(url, data=payload,
                                     content_type='application/x-www-form-urlencoded')
         self.assertEqual(response.status_code, 200)
+
+    def test_change_user_passwd(self):
+        """
+        Test that an administrator can change a user's password, while a regular user cannot.
+        """
+        # change password
+        url = '/v1/auth/passwd'
+        old_password = self.user1.password
+        new_password = 'password'
+        submit = {
+            'username': self.user1.username,
+            'password': old_password,
+            'new_password': new_password,
+        }
+        response = self.client.post(url, json.dumps(submit), content_type='application/json',
+                                    HTTP_AUTHORIZATION='token {}'.format(self.admin_token))
+        self.assertEqual(response.status_code, 400)
+        # test login with old password
+        url = '/v1/auth/login/'
+        payload = urllib.urlencode({'username': self.user1.username, 'password': old_password})
+        response = self.client.post(url, data=payload,
+                                    content_type='application/x-www-form-urlencoded')
+        self.assertEqual(response.status_code, 400)
+        # test login with new password
+        payload = urllib.urlencode({'username': self.user1.username, 'password': new_password})
+        response = self.client.post(url, data=payload,
+                                    content_type='application/x-www-form-urlencoded')
+        self.assertEqual(response.status_code, 200)
+        # try to change back password with a regular user
+        submit['password'], submit['new_password'] = submit['new_password'], submit['password']
+        url = '/v1/auth/passwd'
+        response = self.client.post(url, json.dumps(submit), content_type='application/json',
+                                    HTTP_AUTHORIZATION='token {}'.format(self.user2_token))
+        self.assertEqual(response.status_code, 403)
+        # however, targeting yourself should be fine.
+        response = self.client.post(url, json.dumps(submit), content_type='application/json',
+                                    HTTP_AUTHORIZATION='token {}'.format(self.user1_token))
+        self.assertEqual(response.status_code, 200)

api/views.py

@@ -37,6 +37,12 @@ def get_object(self):
 
     def passwd(self, request, **kwargs):
         obj = self.get_object()
+        if request.data.get('username'):
+            # if you "accidentally" target yourself, that should be fine
+            if obj.username == request.data['username'] or obj.is_superuser:
+                obj = get_object_or_404(User, username=request.data['username'])
+            else:
+                raise PermissionDenied()
         if not obj.check_password(request.data['password']):
             return Response({'detail': 'Current password does not match'},
                             status=status.HTTP_400_BAD_REQUEST)