MAAS

Merge ~vtapia/maas:lp1894727-28 into maas:2.8

Git
lp:~vtapia/maas
lp1894727-28
Merge into 2.8

Proposed by Victor Tapia on 2021-01-29

Status:

Merged

Approved by:

Adam Collard on 2021-02-03

Approved revision:

41737a6fdf7ff6ff8bb89db00b082755b7c1e407

Merge reported by:

MAAS Lander

Merged at revision:

not available

Proposed branch:

~vtapia/maas:lp1894727-28

Merge into:

maas:2.8

Diff against target:

107 lines (+76/-1)

2 files modified

src/maasserver/websockets/handlers/tests/test_user.py (+60/-0)
src/maasserver/websockets/handlers/user.py (+16/-1)

Critical

Fix Released

Link a bug report

Reviewer	Date Requested	Status
Adam Collard (community)	2021-01-29	Approve on 2021-02-03
MAAS Lander		Approve on 2021-02-02
Review via email: mp+397131@code.launchpad.net

Commit message

LP 1894727: Add websocket endpoint for superusers to change password

Description of the change

Backport of commit 839b79338aa10b81af55047f857cbc7499c9c29b in master

Revision history for this message

MAAS Lander (maas-lander) wrote on 2021-01-29:

UNIT TESTS
-b lp1894727-28 lp:~vtapia/maas/+git/maas into -b 2.8 lp:~maas-committers/maas

STATUS: FAILED
LOG: http://maas-ci.internal:8080/job/maas/job/branch-tester/9119/console
COMMIT: 73ffa6762403f41186e41ed006717ce555b895ce

review: Needs Fixing

~vtapia/maas:lp1894727-28 updated on 2021-02-02

41737a6... by Victor Tapia on 2021-02-02: Fix test format

Revision history for this message

MAAS Lander (maas-lander) wrote on 2021-02-02:

UNIT TESTS
-b lp1894727-28 lp:~vtapia/maas/+git/maas into -b 2.8 lp:~maas-committers/maas

STATUS: SUCCESS
COMMIT: 41737a6fdf7ff6ff8bb89db00b082755b7c1e407

review: Approve

Revision history for this message

Adam Collard (adam-collard) on 2021-02-03:

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

MAAS Committers

Matvej Jurbin

Shane Holloman

Victor Tapia

 diff --git a/src/maasserver/websockets/handlers/tests/test_user.py b/src/maasserver/websockets/handlers/tests/test_user.py
 index f62c79c..3311922 100644
 --- a/src/maasserver/websockets/handlers/tests/test_user.py
 +++ b/src/maasserver/websockets/handlers/tests/test_user.py
@@ -396,3 +396,63 @@ class TestUserHandler(MAASServerTestCase):
+         )
          self.assertEqual(self.dehydrate_user(user, for_self=True), observed)
          self.assertTrue(user.check_password("newpassword"))
++
++    def test_change_other_users_password_as_admin(self):
++        admin_user = factory.make_admin()
++        handler = UserHandler(admin_user, {}, None)
++        user = factory.make_User()
++
++        response = handler.admin_change_password(
++            {
++                "id": user.id,
++                "password1": "newpassword",
++                "password2": "newpassword",
++            }
++        )
++        user = reload_object(user)
++
++        self.assertIsNone(response)
++        self.assertTrue(
++            user.check_password("newpassword"),
++            "Password not correctly changed",
++        )
++
++    def test_cannot_change_other_users_password_as_unprivileged(self):
++        unprivileged_user = factory.make_User()
++        handler = UserHandler(unprivileged_user, {}, None)
++        user = factory.make_User()
++
++        self.assertRaises(
++            HandlerPermissionError,
++            handler.admin_change_password,
++            {
++                "id": user.id,
++                "password1": "newpassword",
++                "password2": "newpassword",
++            },
++        )
++
++    def test_cannot_change_own_password_as_unprivileged_using_admin(self):
++        unprivileged_user = factory.make_User()
++        handler = UserHandler(unprivileged_user, {}, None)
++
++        self.assertRaises(
++            HandlerPermissionError,
++            handler.admin_change_password,
++            {
++                "id": unprivileged_user.id,
++                "password1": "newpassword",
++                "password2": "newpassword",
++            },
++        )
++
++    def test_cannot_change_other_users_password_as_admin_bad_password(self):
++        admin_user = factory.make_admin()
++        handler = UserHandler(admin_user, {}, None)
++        user = factory.make_User()
++
++        self.assertRaises(
++            HandlerValidationError,
++            handler.admin_change_password,
++            {"id": user.id, "password1": "foo", "password2": "bar"},
++        )
 diff --git a/src/maasserver/websockets/handlers/user.py b/src/maasserver/websockets/handlers/user.py
 index cba0ce6..7109aed 100644
 --- a/src/maasserver/websockets/handlers/user.py
 +++ b/src/maasserver/websockets/handlers/user.py
@@ -5,7 +5,10 @@
  __all__ = ["UserHandler"]
--from django.contrib.auth.forms import PasswordChangeForm
++from django.contrib.auth.forms import (
++    AdminPasswordChangeForm,
++    PasswordChangeForm,
++)
  from django.contrib.auth.models import User
  from django.db.models import Count
  from django.http import HttpRequest
@@ -51,6 +54,7 @@ class UserHandler(Handler):
              "auth_user",
              "mark_intro_complete",
              "change_password",
++            "admin_change_password",
+         ]
          fields = [
              "id",
@@ -208,3 +212,14 @@ class UserHandler(Handler):
              return self.full_dehydrate(self.user)
          else:
              raise HandlerValidationError(form.errors)
++
++    def admin_change_password(self, params):
++        """As Admin, update another user's password."""
++        if not self.user.is_superuser:
++            raise HandlerPermissionError()
++        user = self.get_object(params)
++        form = AdminPasswordChangeForm(user=user, data=get_QueryDict(params))
++        if form.is_valid():
++            form.save()
++        else:
++            raise HandlerValidationError(form.errors)