Merge pull request #55 from stan-sack/dont_require_usable_pword

anx-ckreuzberger · web-flow · commit f352046daf5f · 2019-07-29T12:43:56.000+02:00
Add setting to not require users to have usable password
diff --git a/README.md b/README.md
@@ -64,6 +64,9 @@ The following settings can be set in Djangos ``settings.py`` file:
 * `DJANGO_REST_MULTITOKENAUTH_RESET_TOKEN_EXPIRY_TIME` - time in hours about how long the token is active (Default: 24)
 
   **Please note**: expired tokens are automatically cleared based on this setting in every call of ``ResetPasswordRequestToken.post``.
+
+* `DJANGO_REST_MULTITOKENAUTH_REQUIRE_USABLE_PASSWORD` - allows password reset for a user that does not 
+  [have a usable password](https://docs.djangoproject.com/en/2.2/ref/contrib/auth/#django.contrib.auth.models.User.has_usable_password) (Default: True)
  
 ### Signals
 
diff --git a/django_rest_passwordreset/models.py b/django_rest_passwordreset/models.py
@@ -2,6 +2,7 @@
 from django.db import models
 from django.utils.encoding import python_2_unicode_compatible
 from django.utils.translation import ugettext_lazy as _
+from django.contrib.auth import get_user_model
 
 from django_rest_passwordreset.tokens import get_token_generator
 
@@ -102,3 +103,19 @@ def clear_expired(expiry_time):
     :param expiry_time: Token expiration time
     """
     ResetPasswordToken.objects.filter(created_at__lte=expiry_time).delete()
+
+def eligible_for_reset(self):
+    if not self.is_active:
+        # if the user is active we dont bother checking
+        return False
+ 
+    if getattr(settings, 'DJANGO_REST_MULTITOKENAUTH_REQUIRE_USABLE_PASSWORD', True):
+        # if we require a usable password then return the result of has_usable_password()
+        return self.has_usable_password()
+    else:
+        # otherwise return True because we dont care about the result of has_usable_password()
+        return True
+
+# add eligible_for_reset to the user class
+UserModel = get_user_model()
+UserModel.add_to_class("eligible_for_reset", eligible_for_reset)
diff --git a/django_rest_passwordreset/views.py b/django_rest_passwordreset/views.py
@@ -55,8 +55,8 @@ def post(self, request, *args, **kwargs):
             reset_password_token.delete()
             return Response({'status': 'expired'}, status=status.HTTP_404_NOT_FOUND)
 
-        # change users password
-        if reset_password_token.user.has_usable_password():
+        # change users password (if we got to this code it means that the user is_active)
+        if reset_password_token.user.eligible_for_reset():
             pre_password_reset.send(sender=self.__class__, user=reset_password_token.user)
             try:
                 # validate the password against existing validators
@@ -114,7 +114,7 @@ def post(self, request, *args, **kwargs):
         # also check whether the password can be changed (is useable), as there could be users that are not allowed
         # to change their password (e.g., LDAP user)
         for user in users:
-            if user.is_active and user.has_usable_password():
+            if user.eligible_for_reset():
                 active_user_found = True
 
         # No active user found, raise a validation error
@@ -127,7 +127,7 @@ def post(self, request, *args, **kwargs):
         # last but not least: iterate over all users that are active and can change their password
         # and create a Reset Password Token and send a signal with the created token
         for user in users:
-            if user.is_active and user.has_usable_password():
+            if user.eligible_for_reset():
                 # define the token as none for now
                 token = None
 
diff --git a/tests/test/test_auth_test_case.py b/tests/test/test_auth_test_case.py
@@ -17,6 +17,7 @@ def setUp(self):
         self.user1 = User.objects.create_user("user1", "user1@mail.com", "secret1")
         self.user2 = User.objects.create_user("user2", "user2@mail.com", "secret2")
         self.user3 = User.objects.create_user("user3@mail.com", "not-that-mail@mail.com", "secret3")
+        self.user4 = User.objects.create_user("user4", "user4@mail.com")
 
     def test_try_reset_password_email_does_not_exist(self):
         """ Tests requesting a token for an email that does not exist """
@@ -225,3 +226,56 @@ def test_signals(self,
         # now the other two signals should have been called
         self.assertTrue(mock_post_password_reset.called)
         self.assertTrue(mock_pre_password_reset.called)
+
+    def test_user_without_password(self):
+        """ Tests requesting a token for an email without a password doesn't work"""
+        response = self.rest_do_request_reset_token(email="user4@mail.com")
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        decoded_response = json.loads(response.content.decode())
+        # response should have "email" in it
+        self.assertTrue("email" in decoded_response)
+
+    @override_settings(DJANGO_REST_MULTITOKENAUTH_REQUIRE_USABLE_PASSWORD=False)
+    @patch('django_rest_passwordreset.signals.reset_password_token_created.send')
+    def test_user_without_password_where_not_required(self, mock_reset_password_token_created):
+        """ Tests requesting a token for an email without a password works when not required"""
+        response = self.rest_do_request_reset_token(email="user4@mail.com")
+        decoded_response = json.loads(response.content.decode())
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        # check that the signal was sent once
+        self.assertTrue(mock_reset_password_token_created.called)
+        self.assertEqual(mock_reset_password_token_created.call_count, 1)
+        last_reset_password_token = mock_reset_password_token_created.call_args[1]['reset_password_token']
+        self.assertNotEqual(last_reset_password_token.key, "")
+
+        # there should be one token
+        self.assertEqual(ResetPasswordToken.objects.all().count(), 1)
+
+        # if the same user tries to reset again, the user will get the same token again
+        response = self.rest_do_request_reset_token(email="user4@mail.com")
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(mock_reset_password_token_created.call_count, 2)
+        last_reset_password_token = mock_reset_password_token_created.call_args[1]['reset_password_token']
+        self.assertNotEqual(last_reset_password_token.key, "")
+
+        # there should be one token
+        self.assertEqual(ResetPasswordToken.objects.all().count(), 1)
+        # and it should be assigned to user1
+        self.assertEqual(
+            ResetPasswordToken.objects.filter(key=last_reset_password_token.key).first().user.username,
+            "user4"
+        )
+
+        # try to reset the password
+        response = self.rest_do_reset_password_with_token(last_reset_password_token.key, "new_secret")
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        # there should be zero tokens
+        self.assertEqual(ResetPasswordToken.objects.all().count(), 0)
+
+        # try to login with the new username/Password (should work)
+        self.assertTrue(
+            self.django_check_login("user4", "new_secret"),
+            msg="User 4 should be able to login with the modified credentials"
+        )
+
