feat(controller): add "deis auth:passwd" to update password

mboersma · mboersma · commit d271997ef066 · 2014-10-24T13:14:48.000-06:00
diff --git a/api/tests/test_auth.py b/api/tests/test_auth.py
@@ -99,3 +99,49 @@ def test_cancel(self):
         response = self.client.delete(url,
                                       HTTP_AUTHORIZATION='token {}'.format(token))
         self.assertEqual(response.status_code, 204)
+
+    def test_passwd(self):
+        """Test that a registered user can change the password."""
+        # test registration workflow
+        username, password = 'newuser', 'password'
+        first_name, last_name = 'Otto', 'Test'
+        email = 'autotest@deis.io'
+        submit = {
+            'username': username,
+            'password': password,
+            'first_name': first_name,
+            'last_name': last_name,
+            'email': email,
+        }
+        url = '/v1/auth/register'
+        response = self.client.post(url, json.dumps(submit), content_type='application/json')
+        self.assertEqual(response.status_code, 201)
+        # change password
+        url = '/v1/auth/passwd'
+        user = User.objects.get(username=username)
+        token = Token.objects.get(user=user).key
+        submit = {
+            'password': 'password2',
+            'new_password': password,
+        }
+        response = self.client.post(url, json.dumps(submit), content_type='application/json',
+                                    HTTP_AUTHORIZATION='token {}'.format(token))
+        self.assertEqual(response.status_code, 400)
+        submit = {
+            'password': password,
+            'new_password': 'password2',
+        }
+        response = self.client.post(url, json.dumps(submit), content_type='application/json',
+                                    HTTP_AUTHORIZATION='token {}'.format(token))
+        self.assertEqual(response.status_code, 200)
+        # test login with old password
+        url = '/v1/auth/login/'
+        payload = urllib.urlencode({'username': username, 'password': password})
+        response = self.client.post(url, data=payload,
+                                    content_type='application/x-www-form-urlencoded')
+        self.assertEqual(response.status_code, 400)
+        # test login with new password
+        payload = urllib.urlencode({'username': username, 'password': 'password2'})
+        response = self.client.post(url, data=payload,
+                                    content_type='application/x-www-form-urlencoded')
+        self.assertEqual(response.status_code, 200)
diff --git a/api/urls.py b/api/urls.py
@@ -169,10 +169,14 @@
 
   Create a new User.
 
-.. http:delete:: /v1/auth/register/
+.. http:delete:: /v1/auth/cancel/
 
   Destroy the logged-in User.
 
+.. http:post:: /v1/auth/passwd/
+
+  Update the password of the logged-in User.
+
 .. http:get:: /v1/auth/login/
 
   Generate an API key.
@@ -272,7 +276,9 @@
     url(r'^auth/register/?',
         views.UserRegistrationView.as_view({'post': 'create'})),
     url(r'^auth/cancel/?',
-        views.UserCancellationView.as_view({'delete': 'destroy'})),
+        views.UserManagementView.as_view({'delete': 'destroy'})),
+    url(r'^auth/passwd/?',
+        views.UserManagementView.as_view({'post': 'passwd'})),
     url(r'^auth/login/',
         'rest_framework.authtoken.views.obtain_auth_token'),
     # admin sharing
diff --git a/api/views.py b/api/views.py
@@ -58,11 +58,20 @@ def pre_save(self, obj):
             obj.is_superuser = obj.is_staff = True
 
 
-class UserCancellationView(viewsets.GenericViewSet,
-                           viewsets.mixins.DestroyModelMixin):
+class UserManagementView(viewsets.GenericViewSet,
+                         viewsets.mixins.CreateModelMixin,
+                         viewsets.mixins.DestroyModelMixin):
     model = User
     permission_classes = (permissions.IsAuthenticated,)
 
+    def passwd(self, request, *args, **kwargs):
+        obj = self.request.user
+        if not obj.check_password(request.DATA['password']):
+            return Response("Current password did not match", status=status.HTTP_400_BAD_REQUEST)
+        obj.set_password(request.DATA['new_password'])
+        obj.save()
+        return Response({'status': 'password set'})
+
     def destroy(self, request, *args, **kwargs):
         obj = self.request.user
         obj.delete()
