Verified Commit 0e2aebd0 authored by Haelwenn's avatar Haelwenn
Browse files

TwitterAPI: Make change_email require body params instead of query

Backport of: !3503
parent 3961422f
...@@ -19,7 +19,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ...@@ -19,7 +19,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
### Fixed ### Fixed
- MastodonAPI: Stream out Create activities - MastodonAPI: Stream out Create activities
- MRF ObjectAgePolicy: Fix pattern matching on "published" - MRF ObjectAgePolicy: Fix pattern matching on "published"
- TwitterAPI: Make `change_password` require params on body instead of query - TwitterAPI: Make `change_password` and `change_email` require params on body instead of query
## 2.4.0 - 2021-08-08 ## 2.4.0 - 2021-08-08
......
...@@ -101,11 +101,7 @@ def change_email_operation do ...@@ -101,11 +101,7 @@ def change_email_operation do
summary: "Change account email", summary: "Change account email",
security: [%{"oAuth" => ["write:accounts"]}], security: [%{"oAuth" => ["write:accounts"]}],
operationId: "UtilController.change_email", operationId: "UtilController.change_email",
parameters: [ requestBody: request_body("Parameters", change_email_request(), required: true),
Operation.parameter(:password, :query, :string, "Current password", required: true),
Operation.parameter(:email, :query, :string, "New email", required: true)
],
requestBody: nil,
responses: %{ responses: %{
200 => 200 =>
Operation.response("Success", "application/json", %Schema{ Operation.response("Success", "application/json", %Schema{
...@@ -118,6 +114,19 @@ def change_email_operation do ...@@ -118,6 +114,19 @@ def change_email_operation do
} }
end end
defp change_email_request do
%Schema{
title: "ChangeEmailRequest",
description: "POST body for changing the account's email",
type: :object,
required: [:email, :password],
properties: %{
email: %Schema{type: :string, description: "New email"},
password: %Schema{type: :string, description: "Current password"}
}
}
end
def update_notificaton_settings_operation do def update_notificaton_settings_operation do
%Operation{ %Operation{
tags: ["Accounts"], tags: ["Accounts"],
......
...@@ -104,10 +104,10 @@ def change_password(%{assigns: %{user: user}, body_params: body_params} = conn, ...@@ -104,10 +104,10 @@ def change_password(%{assigns: %{user: user}, body_params: body_params} = conn,
end end
end end
def change_email(%{assigns: %{user: user}} = conn, %{password: password, email: email}) do def change_email(%{assigns: %{user: user}, body_params: body_params} = conn, %{}) do
case CommonAPI.Utils.confirm_current_password(user, password) do case CommonAPI.Utils.confirm_current_password(user, body_params.password) do
{:ok, user} -> {:ok, user} ->
with {:ok, _user} <- User.change_email(user, email) do with {:ok, _user} <- User.change_email(user, body_params.email) do
json(conn, %{status: "success"}) json(conn, %{status: "success"})
else else
{:error, changeset} -> {:error, changeset} ->
......
...@@ -261,11 +261,8 @@ test "without permissions", %{conn: conn} do ...@@ -261,11 +261,8 @@ test "without permissions", %{conn: conn} do
conn = conn =
conn conn
|> assign(:token, nil) |> assign(:token, nil)
|> post( |> put_req_header("content-type", "multipart/form-data")
"/api/pleroma/change_email?#{ |> post("/api/pleroma/change_email", %{password: "hi", email: "test@test.com"})
URI.encode_query(%{password: "hi", email: "test@test.com"})
}"
)
assert json_response_and_validate_schema(conn, 403) == %{ assert json_response_and_validate_schema(conn, 403) == %{
"error" => "Insufficient permissions: write:accounts." "error" => "Insufficient permissions: write:accounts."
...@@ -274,12 +271,9 @@ test "without permissions", %{conn: conn} do ...@@ -274,12 +271,9 @@ test "without permissions", %{conn: conn} do
test "with proper permissions and invalid password", %{conn: conn} do test "with proper permissions and invalid password", %{conn: conn} do
conn = conn =
post( conn
conn, |> put_req_header("content-type", "multipart/form-data")
"/api/pleroma/change_email?#{ |> post("/api/pleroma/change_email", %{password: "hi", email: "test@test.com"})
URI.encode_query(%{password: "hi", email: "test@test.com"})
}"
)
assert json_response_and_validate_schema(conn, 200) == %{"error" => "Invalid password."} assert json_response_and_validate_schema(conn, 200) == %{"error" => "Invalid password."}
end end
...@@ -288,10 +282,9 @@ test "with proper permissions, valid password and invalid email", %{ ...@@ -288,10 +282,9 @@ test "with proper permissions, valid password and invalid email", %{
conn: conn conn: conn
} do } do
conn = conn =
post( conn
conn, |> put_req_header("content-type", "multipart/form-data")
"/api/pleroma/change_email?#{URI.encode_query(%{password: "test", email: "foobar"})}" |> post("/api/pleroma/change_email", %{password: "test", email: "foobar"})
)
assert json_response_and_validate_schema(conn, 200) == %{ assert json_response_and_validate_schema(conn, 200) == %{
"error" => "Email has invalid format." "error" => "Email has invalid format."
...@@ -301,7 +294,10 @@ test "with proper permissions, valid password and invalid email", %{ ...@@ -301,7 +294,10 @@ test "with proper permissions, valid password and invalid email", %{
test "with proper permissions, valid password and no email", %{ test "with proper permissions, valid password and no email", %{
conn: conn conn: conn
} do } do
conn = post(conn, "/api/pleroma/change_email?#{URI.encode_query(%{password: "test"})}") conn =
conn
|> put_req_header("content-type", "multipart/form-data")
|> post("/api/pleroma/change_email", %{password: "test"})
assert %{"error" => "Missing field: email."} = json_response_and_validate_schema(conn, 400) assert %{"error" => "Missing field: email."} = json_response_and_validate_schema(conn, 400)
end end
...@@ -310,10 +306,9 @@ test "with proper permissions, valid password and blank email", %{ ...@@ -310,10 +306,9 @@ test "with proper permissions, valid password and blank email", %{
conn: conn conn: conn
} do } do
conn = conn =
post( conn
conn, |> put_req_header("content-type", "multipart/form-data")
"/api/pleroma/change_email?#{URI.encode_query(%{password: "test", email: ""})}" |> post("/api/pleroma/change_email", %{password: "test", email: ""})
)
assert json_response_and_validate_schema(conn, 200) == %{"error" => "Email can't be blank."} assert json_response_and_validate_schema(conn, 200) == %{"error" => "Email can't be blank."}
end end
...@@ -324,10 +319,9 @@ test "with proper permissions, valid password and non unique email", %{ ...@@ -324,10 +319,9 @@ test "with proper permissions, valid password and non unique email", %{
user = insert(:user) user = insert(:user)
conn = conn =
post( conn
conn, |> put_req_header("content-type", "multipart/form-data")
"/api/pleroma/change_email?#{URI.encode_query(%{password: "test", email: user.email})}" |> post("/api/pleroma/change_email", %{password: "test", email: user.email})
)
assert json_response_and_validate_schema(conn, 200) == %{ assert json_response_and_validate_schema(conn, 200) == %{
"error" => "Email has already been taken." "error" => "Email has already been taken."
...@@ -338,12 +332,9 @@ test "with proper permissions, valid password and valid email", %{ ...@@ -338,12 +332,9 @@ test "with proper permissions, valid password and valid email", %{
conn: conn conn: conn
} do } do
conn = conn =
post( conn
conn, |> put_req_header("content-type", "multipart/form-data")
"/api/pleroma/change_email?#{ |> post("/api/pleroma/change_email", %{password: "test", email: "cofe@foobar.com"})
URI.encode_query(%{password: "test", email: "cofe@foobar.com"})
}"
)
assert json_response_and_validate_schema(conn, 200) == %{"status" => "success"} assert json_response_and_validate_schema(conn, 200) == %{"status" => "success"}
end end
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment