Refactor API key reset as part of settings form

This adds core CSRF protection to the reset functionality.

babybuddy/templates/babybuddy/user_settings_form.html

@@ -81,12 +81,12 @@ <h1>{% trans "User Settings" %}</h1>
                     <label for="id_email" class="col-sm-2 col-form-label">{% trans "Key" %}</label>
                     <div class="col-sm-10">
                         <samp>{{ user.settings.api_key }}</samp>
-                        <a class="btn btn-xs btn-danger" href="{% url 'babybuddy:user-reset-api-key' %}">{% trans "Regenerate" %}</a>
+                        <input type="submit" name="api_key_regenerate" value="{% trans "Regenerate" %}" class="btn btn-danger btn-xs" />
                     </div>
                 </div>
             </fieldset>
             <input type="hidden" name="next" value="{% url 'babybuddy:user-settings' %}" />
-            <button type="submit" class="btn btn-primary">{% trans "Submit" %}</button>
+            <input type="submit" name="save_settings" value="{% trans "Submit" %}" class="btn btn-primary">
         </form>
     </div>
 {% endblock %}

babybuddy/tests/tests_forms.py

@@ -104,6 +104,21 @@ def test_user_settings(self):
         self.assertEqual(page.status_code, 200)
         self.assertContains(page, 'New First Name')
 
+    def test_user_regenerate_api_key(self):
+        self.c.login(**self.credentials)
+
+        api_key_before = User.objects.get(pk=self.user.id).settings.api_key()
+
+        params = self.settings_template.copy()
+        params['api_key_regenerate'] = 'Regenerate'
+
+        page = self.c.post('/user/settings/', params, follow=True)
+        self.assertEqual(page.status_code, 200)
+        self.assertNotEqual(
+            api_key_before,
+            User.objects.get(pk=self.user.id).settings.api_key()
+        )
+
     def test_user_settings_invalid(self):
         self.c.login(**self.credentials)
 

babybuddy/tests/tests_views.py

@@ -45,15 +45,6 @@ def test_rolling_sessions(self):
         self.assertNotEqual(session1, session2)
         self.assertEqual(session2, session3)
 
-    def test_user_reset_api_key(self):
-        api_key_before = User.objects.get(pk=self.user.id).settings.api_key()
-        page = self.c.get('/user/reset-api-key/')
-        self.assertEqual(page.status_code, 302)
-        self.assertNotEqual(
-            api_key_before,
-            User.objects.get(pk=self.user.id).settings.api_key()
-        )
-
     def test_user_settings(self):
         page = self.c.get('/user/settings/')
         self.assertEqual(page.status_code, 200)

babybuddy/urls.py

@@ -37,11 +37,6 @@
         views.UserPassword.as_view(),
         name='user-password'
     ),
-    path(
-        'user/reset-api-key/',
-        views.UserResetAPIKey.as_view(),
-        name='user-reset-api-key'
-    ),
     path(
         'user/settings/',
         views.UserSettings.as_view(),

babybuddy/views.py

@@ -103,16 +103,6 @@ def post(self, request):
         return render(request, self.template_name, {'form': form})
 
 
-class UserResetAPIKey(LoginRequiredMixin, View):
-    """
-    Resets the API key of the logged in user.
-    """
-    def get(self, request):
-        request.user.settings.api_key(reset=True)
-        messages.success(request, _('User API key regenerated.'))
-        return redirect('babybuddy:user-settings')
-
-
 class UserSettings(LoginRequiredMixin, View):
     """
     Handles both the User and Settings models.
@@ -130,6 +120,11 @@ def get(self, request):
         })
 
     def post(self, request):
+        if request.POST.get('api_key_regenerate'):
+            request.user.settings.api_key(reset=True)
+            messages.success(request, _('User API key regenerated.'))
+            return redirect('babybuddy:user-settings')
+
         form_user = self.form_user_class(
             instance=request.user,
             data=request.POST)