fix(passwd): raise 400 when password is not a parameter (#850)

Joshua-Anderson · web-flow · commit c91f361d4842 · 2016-08-08T09:03:25.000-07:00
diff --git a/rootfs/api/tests/test_auth.py b/rootfs/api/tests/test_auth.py
@@ -258,10 +258,20 @@ def test_passwd(self):
         url = '/v2/auth/register'
         response = self.client.post(url, submit)
         self.assertEqual(response.status_code, 201, response.data)
-        # change password
+        # change password without new password
         url = '/v2/auth/passwd'
         user = User.objects.get(username=username)
         token = Token.objects.get(user=user).key
+        response = self.client.post(url, {},
+                                    HTTP_AUTHORIZATION='token {}'.format(token))
+        self.assertEqual(response.status_code, 400, response.data)
+        self.assertEqual(response.data, {'detail': 'new_password is a required field'})
+        # change password without password field
+        response = self.client.post(url, {'new_password': 'test'},
+                                    HTTP_AUTHORIZATION='token {}'.format(token))
+        self.assertEqual(response.status_code, 400, response.data)
+        self.assertEqual(response.data, {'detail': 'password is a required field'})
+        # change password
         submit = {
             'password': 'password2',
             'new_password': password,
diff --git a/rootfs/api/views.py b/rootfs/api/views.py
@@ -93,6 +93,9 @@ def destroy(self, request, **kwargs):
         return Response(status=status.HTTP_204_NO_CONTENT)
 
     def passwd(self, request, **kwargs):
+        if not request.data.get('new_password'):
+            raise DeisException("new_password is a required field")
+
         caller_obj = self.get_object()
         target_obj = self.get_object()
         if request.data.get('username'):
@@ -102,7 +105,9 @@ def passwd(self, request, **kwargs):
             else:
                 raise PermissionDenied()
 
-        if request.data.get('password') or not caller_obj.is_superuser:
+        if not caller_obj.is_superuser:
+            if not request.data.get('password'):
+                raise DeisException("password is a required field")
             if not target_obj.check_password(request.data['password']):
                 raise AuthenticationFailed('Current password does not match')
 
