Now anonymous users can confirm the change of email even if they are not authenticated, some users update the email from a desktop browser but check the email from mobile

2015-06-12 08:50:32 +02:00 · 2015-06-12 08:50:32 +02:00 · e54802f0b1
parent ccd1a9cdd9
commit e54802f0b1
3 changed files with 20 additions and 6 deletions
--- a/taiga/users/permissions.py
+++ b/taiga/users/permissions.py
@ -44,7 +44,7 @@ class UserPermission(TaigaResourcePermission):
    me_perms = IsAuthenticated()
    remove_avatar_perms = IsAuthenticated()
    starred_perms = AllowAny()
-    change_email_perms = IsTheSameUser()
+    change_email_perms = AllowAny()
    contacts_perms = AllowAny()


--- a/tests/integration/resources_permissions/test_users_resources.py
+++ b/tests/integration/resources_permissions/test_users_resources.py
@ -272,9 +272,10 @@ def test_user_action_password_recovery(client, data):
 def test_user_action_change_email(client, data):
    url = reverse('users-change-email')

-    data.registered_user.email_token = "test-token"
-    data.registered_user.new_email = "new@email.com"
-    data.registered_user.save()
+    def after_each_request():
+        data.registered_user.email_token = "test-token"
+        data.registered_user.new_email = "new@email.com"
+        data.registered_user.save()

    users = [
        None,
@ -283,5 +284,6 @@ def test_user_action_change_email(client, data):
    ]

    patch_data = json.dumps({"email_token": "test-token"})
-    results = helper_test_http_method(client, 'post', url, patch_data, users)
-    assert results == [401, 204, 400]
+    after_each_request()
+    results = helper_test_http_method(client, 'post', url, patch_data, users, after_each_request=after_each_request)
+    assert results == [204, 204, 204]
--- a/tests/integration/test_users.py
+++ b/tests/integration/test_users.py
@ -93,6 +93,18 @@ def test_validate_requested_email_change(client):
    assert user.new_email is None
    assert user.email == "new@email.com"

+def test_validate_requested_email_change_for_anonymous_user(client):
+    user = f.UserFactory.create(email_token="change_email_token", new_email="new@email.com")
+    url = reverse('users-change-email')
+    data = {"email_token": "change_email_token"}
+
+    response = client.post(url, json.dumps(data), content_type="application/json")
+
+    assert response.status_code == 204
+    user = models.User.objects.get(pk=user.id)
+    assert user.email_token is None
+    assert user.new_email is None
+    assert user.email == "new@email.com"

 def test_validate_requested_email_change_without_token(client):
    user = f.UserFactory.create(email_token="change_email_token", new_email="new@email.com")