Merge pull request #1220 from userlocalhost/feature/user/prohibit_to_change_password

Added safety processing to prevent changing user password when PASSWORD_RESET_DISABLED is set

Author: hinashi

airone/lib/test.py

@@ -1,3 +1,4 @@
+import functools
 import inspect
 import os
 import sys
@@ -188,3 +189,31 @@ def __enter__(self):
     def __exit__(self, *arg, **kwargs):
         sys.stderr = self.tmp_stderr
         self.f.close()
+
+
+def with_airone_settings(info={}):
+    """
+    This update AIRONE.settings parameter duing running test and retrieve it
+    after running test.
+    """
+
+    def _with_settings(method):
+        @functools.wraps(method)
+        def wrapper(*args, **kwargs):
+            # This evacuates original values in settings.AIRONE and set specified one
+            evacuation_place = {}
+            for k, v in info.items():
+                evacuation_place[k] = settings.AIRONE.get(k)
+                settings.AIRONE[k] = v
+
+            # Run test case
+            method(*args, **kwargs)
+
+            # Revert original configuration that were set in the settings.AIRONE
+            for k, v in evacuation_place.items():
+                if v:
+                    settings.AIRONE[k] = v
+
+        return wrapper
+
+    return _with_settings

user/api_v2/serializers.py

@@ -1,14 +1,15 @@
 from datetime import timedelta
 from typing import Dict, TypedDict
 
+from django.conf import settings
 from django.contrib.auth import password_validation
 from django.contrib.auth.tokens import default_token_generator
 from django.core.exceptions import ValidationError as DjangoCoreValidationError
 from django.utils.http import urlsafe_base64_decode
 from drf_spectacular.utils import extend_schema_field
 from rest_framework import serializers
 from rest_framework.authtoken.models import Token
-from rest_framework.exceptions import ValidationError
+from rest_framework.exceptions import PermissionDenied, ValidationError
 
 from airone.auth.ldap import LDAPBackend
 from user.models import User
@@ -163,6 +164,11 @@ def validate(self, attrs: Dict):
         request = self.context["request"]
         user = self.context["user"]
 
+        # When PASSWORD_RESET_DISABLED is set in the settings.AIRONE
+        # request shouldn't be accepted.
+        if settings.AIRONE.get("PASSWORD_RESET_DISABLED"):
+            raise PermissionDenied("It is not allowed to change password")
+
         # Identification
         if int(request.user.id) != int(user.id):
             raise ValidationError("You don't have permission to access this object")

user/tests/test_api_v2.py

@@ -8,7 +8,7 @@
 from django.utils.http import urlsafe_base64_encode
 from rest_framework.authtoken.models import Token
 
-from airone.lib.test import AironeViewTest
+from airone.lib.test import AironeViewTest, with_airone_settings
 from group.models import Group
 from user.models import User
 
@@ -313,6 +313,33 @@ def test_patch_user_password(self):
         self.assertIsNotNone(updated_user)
         self.assertTrue(updated_user.check_password(new_passwd))
 
+    @with_airone_settings(
+        {
+            "PASSWORD_RESET_DISABLED": True,
+        }
+    )
+    def test_patch_user_password_when_PASSWORD_RESET_DISABLED_is_set(self):
+        user = self.guest_login()
+        old_passwd = user.username
+        new_passwd = "new-passwd"
+
+        params = {
+            "old_passwd": old_passwd,
+            "new_passwd": new_passwd,
+            "chk_passwd": new_passwd,
+        }
+        resp = self.client.patch(
+            "/user/api/v2/%d/edit_passwd" % user.id, json.dumps(params), "application/json"
+        )
+        self.assertEqual(resp.status_code, 403)
+
+        # check password wasn't changed
+        self.assertEqual(
+            resp.json(), {"message": "It is not allowed to change password", "code": "AE-210000"}
+        )
+        self.assertFalse(user.check_password(new_passwd))
+        self.assertTrue(user.check_password(old_passwd))
+
     def test_patch_user_password_with_invalid_params(self):
         user = self.guest_login()
         old_passwd = user.username