Canonical SSO provider

Merge lp:~canonical-isd-hackers/canonical-identity-provider/bug-816622 into lp:canonical-identity-provider/release

  1. bug-816622
  2. Merge into trunk
Proposed by Łukasz Czyżykowski
Status: Merged
Approved by: Ricardo Kirkner
Approved revision: no longer in the source branch.
Merged at revision: 219
Proposed branch: lp:~canonical-isd-hackers/canonical-identity-provider/bug-816622
Merge into: lp:canonical-identity-provider/release
Diff against target: 50 lines (+20/-2)
2 files modified
identityprovider/forms.py (+11/-2)
identityprovider/tests/test_views_ui.py (+9/-0)
To merge this branch: bzr merge lp:~canonical-isd-hackers/canonical-identity-provider/bug-816622
Reviewer Review Type Date Requested Status
Ricardo Kirkner (community) Needs Fixing
Review via email: mp+72890@code.launchpad.net

Commit message

Fix bug #816622: Users can login with unverified e-mail addresses

Description of the change

Overview
========
This branch fixes Bug: 816622, which was allowing users to log in to
SSO with an email account which was not yet verified.

Details
=======
The reason of this bug showing up is that there is a discrepancy
between API and Web. In the API it's possible to log in to an account
without verifying the email first. It was never the case for the
web. When working on limiting the number of queries and consolidating
codebase, one method is being used for both of those scenarios and the
change have made the behaviour consistent.

The change explicitly prevents logging in with email with status
'NEW' in the ``LoginForm``.

To test it follow instructions in ``README`` and then run ``$ fab test``.

To post a comment you must log in.
Revision history for this message
Ricardo Kirkner (ricardokirkner) wrote :

LGTM, except that the original code verified email status against VALIDATED, OLD and PREFERRED instead of not NEW.
I think since this is a regression, we should keep the same condition check.

review: Needs Fixing

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'identityprovider/forms.py'
2--- identityprovider/forms.py 2011-08-05 09:42:18 +0000
3+++ identityprovider/forms.py 2011-08-25 13:30:25 +0000
4@@ -62,6 +62,9 @@
5 email = self.cleaned_data['email']
6 password = self.cleaned_data['password']
7
8+ password_error = forms.ValidationError(
9+ mark_safe(_("Password didn't match.")))
10+
11 account = auth.authenticate(username=email, password=password)
12 if account is None:
13 account = Account.objects.get_by_email(email)
14@@ -69,8 +72,14 @@
15 raise forms.ValidationError(_("Your account has been "
16 "deactivated"))
17 else:
18- raise forms.ValidationError(
19- mark_safe(_("Password didn't match.")))
20+ raise password_error
21+
22+ # Check that the email used for logging in is not 'NEW'. It's
23+ # possible to use it to log in to the SSO with API, but not through
24+ # web.
25+ email_obj = account.emailaddress_set.get(email=email)
26+ if email_obj.status == EmailStatus.NEW:
27+ raise password_error
28
29 # Pass account to the view, as it's already authenticated and
30 # there's no good reason to do exactly the same call there.
31
32=== modified file 'identityprovider/tests/test_views_ui.py'
33--- identityprovider/tests/test_views_ui.py 2011-08-10 19:31:53 +0000
34+++ identityprovider/tests/test_views_ui.py 2011-08-25 13:30:25 +0000
35@@ -176,6 +176,15 @@
36 'password': 'test'})
37 self.assertRedirects(r, '/')
38
39+ def test_login_with_not_validated_email(self):
40+ """Preventing regression for bug 816622"""
41+ account = Account.objects.get_by_email("mark@example.com")
42+ account.emailaddress_set.create(
43+ email="mark-2@example.com", status=EmailStatus.NEW)
44+ r = self.client.post('/+login', {'email': 'mark-2@example.com',
45+ 'password': 'test'})
46+ self.assertFormError(r, 'form', None, "Password didn't match.")
47+
48 def test_logout(self):
49 self.authenticate()
50 r = self.client.get('/+logout')