From 1689bc8e203803869009d0c5c9397dafef2d70f1 Mon Sep 17 00:00:00 2001 From: "Christopher C. Wells" Date: Mon, 21 Jun 2021 21:27:45 -0700 Subject: [PATCH] Refactor API key reset as part of settings form This adds core CSRF protection to the reset functionality. --- .../templates/babybuddy/user_settings_form.html | 4 ++-- babybuddy/tests/tests_forms.py | 15 +++++++++++++++ babybuddy/tests/tests_views.py | 9 --------- babybuddy/urls.py | 5 ----- babybuddy/views.py | 15 +++++---------- 5 files changed, 22 insertions(+), 26 deletions(-) diff --git a/babybuddy/templates/babybuddy/user_settings_form.html b/babybuddy/templates/babybuddy/user_settings_form.html index 2bb91a7bb..b7b99bf98 100644 --- a/babybuddy/templates/babybuddy/user_settings_form.html +++ b/babybuddy/templates/babybuddy/user_settings_form.html @@ -81,12 +81,12 @@

{% trans "User Settings" %}

{{ user.settings.api_key }} - {% trans "Regenerate" %} +
- + {% endblock %} diff --git a/babybuddy/tests/tests_forms.py b/babybuddy/tests/tests_forms.py index fa102d50b..7aaf0d67e 100644 --- a/babybuddy/tests/tests_forms.py +++ b/babybuddy/tests/tests_forms.py @@ -104,6 +104,21 @@ def test_user_settings(self): self.assertEqual(page.status_code, 200) self.assertContains(page, 'New First Name') + def test_user_regenerate_api_key(self): + self.c.login(**self.credentials) + + api_key_before = User.objects.get(pk=self.user.id).settings.api_key() + + params = self.settings_template.copy() + params['api_key_regenerate'] = 'Regenerate' + + page = self.c.post('/user/settings/', params, follow=True) + self.assertEqual(page.status_code, 200) + self.assertNotEqual( + api_key_before, + User.objects.get(pk=self.user.id).settings.api_key() + ) + def test_user_settings_invalid(self): self.c.login(**self.credentials) diff --git a/babybuddy/tests/tests_views.py b/babybuddy/tests/tests_views.py index cf3475e3b..8bd0976b1 100644 --- a/babybuddy/tests/tests_views.py +++ b/babybuddy/tests/tests_views.py @@ -45,15 +45,6 @@ def test_rolling_sessions(self): self.assertNotEqual(session1, session2) self.assertEqual(session2, session3) - def test_user_reset_api_key(self): - api_key_before = User.objects.get(pk=self.user.id).settings.api_key() - page = self.c.get('/user/reset-api-key/') - self.assertEqual(page.status_code, 302) - self.assertNotEqual( - api_key_before, - User.objects.get(pk=self.user.id).settings.api_key() - ) - def test_user_settings(self): page = self.c.get('/user/settings/') self.assertEqual(page.status_code, 200) diff --git a/babybuddy/urls.py b/babybuddy/urls.py index a18f2a118..d1f250725 100644 --- a/babybuddy/urls.py +++ b/babybuddy/urls.py @@ -37,11 +37,6 @@ views.UserPassword.as_view(), name='user-password' ), - path( - 'user/reset-api-key/', - views.UserResetAPIKey.as_view(), - name='user-reset-api-key' - ), path( 'user/settings/', views.UserSettings.as_view(), diff --git a/babybuddy/views.py b/babybuddy/views.py index 75f36b99d..58c482840 100644 --- a/babybuddy/views.py +++ b/babybuddy/views.py @@ -103,16 +103,6 @@ def post(self, request): return render(request, self.template_name, {'form': form}) -class UserResetAPIKey(LoginRequiredMixin, View): - """ - Resets the API key of the logged in user. - """ - def get(self, request): - request.user.settings.api_key(reset=True) - messages.success(request, _('User API key regenerated.')) - return redirect('babybuddy:user-settings') - - class UserSettings(LoginRequiredMixin, View): """ Handles both the User and Settings models. @@ -130,6 +120,11 @@ def get(self, request): }) def post(self, request): + if request.POST.get('api_key_regenerate'): + request.user.settings.api_key(reset=True) + messages.success(request, _('User API key regenerated.')) + return redirect('babybuddy:user-settings') + form_user = self.form_user_class( instance=request.user, data=request.POST)