Disallow password resets for deactivated accounts.
Ensure all responses to password reset events are identical.
This commit is contained in:
parent
d6e979aebe
commit
cbf7f0e029
|
@ -12,6 +12,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
||||||
- Mastodon API: Search parameter `following` now correctly returns the followings rather than the followers
|
- Mastodon API: Search parameter `following` now correctly returns the followings rather than the followers
|
||||||
- Mastodon API: Timelines hanging for (`number of posts with links * rich media timeout`) in the worst case.
|
- Mastodon API: Timelines hanging for (`number of posts with links * rich media timeout`) in the worst case.
|
||||||
Reduced to just rich media timeout.
|
Reduced to just rich media timeout.
|
||||||
|
- Password resets no longer processed for deactivated accounts
|
||||||
|
|
||||||
## [2.1.0] - 2020-08-28
|
## [2.1.0] - 2020-08-28
|
||||||
|
|
||||||
|
|
|
@ -59,17 +59,11 @@ def logout(conn, _) do
|
||||||
def password_reset(conn, params) do
|
def password_reset(conn, params) do
|
||||||
nickname_or_email = params["email"] || params["nickname"]
|
nickname_or_email = params["email"] || params["nickname"]
|
||||||
|
|
||||||
with {:ok, _} <- TwitterAPI.password_reset(nickname_or_email) do
|
TwitterAPI.password_reset(nickname_or_email)
|
||||||
conn
|
|
||||||
|> put_status(:no_content)
|
|
||||||
|> json("")
|
|
||||||
else
|
|
||||||
{:error, "unknown user"} ->
|
|
||||||
send_resp(conn, :not_found, "")
|
|
||||||
|
|
||||||
{:error, _} ->
|
conn
|
||||||
send_resp(conn, :bad_request, "")
|
|> put_status(:no_content)
|
||||||
end
|
|> json("")
|
||||||
end
|
end
|
||||||
|
|
||||||
defp local_mastodon_root_path(conn) do
|
defp local_mastodon_root_path(conn) do
|
||||||
|
|
|
@ -72,7 +72,7 @@ defp maybe_notify_admins(%User{} = account) do
|
||||||
|
|
||||||
def password_reset(nickname_or_email) do
|
def password_reset(nickname_or_email) do
|
||||||
with true <- is_binary(nickname_or_email),
|
with true <- is_binary(nickname_or_email),
|
||||||
%User{local: true, email: email} = user when is_binary(email) <-
|
%User{local: true, email: email, deactivated: false} = user when is_binary(email) <-
|
||||||
User.get_by_nickname_or_email(nickname_or_email),
|
User.get_by_nickname_or_email(nickname_or_email),
|
||||||
{:ok, token_record} <- Pleroma.PasswordResetToken.create_token(user) do
|
{:ok, token_record} <- Pleroma.PasswordResetToken.create_token(user) do
|
||||||
user
|
user
|
||||||
|
@ -81,17 +81,8 @@ def password_reset(nickname_or_email) do
|
||||||
|
|
||||||
{:ok, :enqueued}
|
{:ok, :enqueued}
|
||||||
else
|
else
|
||||||
false ->
|
_ ->
|
||||||
{:error, "bad user identifier"}
|
|
||||||
|
|
||||||
%User{local: true, email: nil} ->
|
|
||||||
{:ok, :noop}
|
{:ok, :noop}
|
||||||
|
|
||||||
%User{local: false} ->
|
|
||||||
{:error, "remote user"}
|
|
||||||
|
|
||||||
nil ->
|
|
||||||
{:error, "unknown user"}
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -122,17 +122,27 @@ test "it doesn't fail when a user has no email", %{conn: conn} do
|
||||||
{:ok, user: user}
|
{:ok, user: user}
|
||||||
end
|
end
|
||||||
|
|
||||||
test "it returns 404 when user is not found", %{conn: conn, user: user} do
|
test "it returns 204 when user is not found", %{conn: conn, user: user} do
|
||||||
conn = post(conn, "/auth/password?email=nonexisting_#{user.email}")
|
conn = post(conn, "/auth/password?email=nonexisting_#{user.email}")
|
||||||
assert conn.status == 404
|
|
||||||
assert conn.resp_body == ""
|
assert conn
|
||||||
|
|> json_response(:no_content)
|
||||||
end
|
end
|
||||||
|
|
||||||
test "it returns 400 when user is not local", %{conn: conn, user: user} do
|
test "it returns 204 when user is not local", %{conn: conn, user: user} do
|
||||||
{:ok, user} = Repo.update(Ecto.Changeset.change(user, local: false))
|
{:ok, user} = Repo.update(Ecto.Changeset.change(user, local: false))
|
||||||
conn = post(conn, "/auth/password?email=#{user.email}")
|
conn = post(conn, "/auth/password?email=#{user.email}")
|
||||||
assert conn.status == 400
|
|
||||||
assert conn.resp_body == ""
|
assert conn
|
||||||
|
|> json_response(:no_content)
|
||||||
|
end
|
||||||
|
|
||||||
|
test "it returns 204 when user is deactivated", %{conn: conn, user: user} do
|
||||||
|
{:ok, user} = Repo.update(Ecto.Changeset.change(user, deactivated: true, local: true))
|
||||||
|
conn = post(conn, "/auth/password?email=#{user.email}")
|
||||||
|
|
||||||
|
assert conn
|
||||||
|
|> json_response(:no_content)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue