Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
Pleroma
pleroma
Commits
3961422f
Verified
Commit
3961422f
authored
Aug 10, 2021
by
Haelwenn
Browse files
TwitterAPI: Make change_password require body params instead of query
Backport of:
!3503
parent
8baaa36a
Changes
4
Hide whitespace changes
Inline
Side-by-side
CHANGELOG.md
View file @
3961422f
...
...
@@ -19,6 +19,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
### Fixed
-
MastodonAPI: Stream out Create activities
-
MRF ObjectAgePolicy: Fix pattern matching on "published"
-
TwitterAPI: Make
`change_password`
require params on body instead of query
## 2.4.0 - 2021-08-08
...
...
lib/pleroma/web/api_spec/operations/twitter_util_operation.ex
View file @
3961422f
...
...
@@ -8,6 +8,8 @@ defmodule Pleroma.Web.ApiSpec.TwitterUtilOperation do
alias
Pleroma
.
Web
.
ApiSpec
.
Schemas
.
ApiError
alias
Pleroma
.
Web
.
ApiSpec
.
Schemas
.
BooleanLike
import
Pleroma
.
Web
.
ApiSpec
.
Helpers
def
open_api_operation
(
action
)
do
operation
=
String
.
to_existing_atom
(
"
#{
action
}
_operation"
)
apply
(
__MODULE__
,
operation
,
[])
...
...
@@ -63,17 +65,7 @@ def change_password_operation do
summary:
"Change account password"
,
security:
[%{
"oAuth"
=>
[
"write:accounts"
]}],
operationId:
"UtilController.change_password"
,
parameters:
[
Operation
.
parameter
(
:password
,
:query
,
:string
,
"Current password"
,
required:
true
),
Operation
.
parameter
(
:new_password
,
:query
,
:string
,
"New password"
,
required:
true
),
Operation
.
parameter
(
:new_password_confirmation
,
:query
,
:string
,
"New password, confirmation"
,
required:
true
)
],
requestBody:
request_body
(
"Parameters"
,
change_password_request
(),
required:
true
),
responses:
%{
200
=>
Operation
.
response
(
"Success"
,
"application/json"
,
%
Schema
{
...
...
@@ -86,6 +78,23 @@ def change_password_operation do
}
end
defp
change_password_request
do
%
Schema
{
title:
"ChangePasswordRequest"
,
description:
"POST body for changing the account's passowrd"
,
type:
:object
,
required:
[
:password
,
:new_password
,
:new_password_confirmation
],
properties:
%{
password:
%
Schema
{
type:
:string
,
description:
"Current password"
},
new_password:
%
Schema
{
type:
:string
,
description:
"New password"
},
new_password_confirmation:
%
Schema
{
type:
:string
,
description:
"New password, confirmation"
}
}
}
end
def
change_email_operation
do
%
Operation
{
tags:
[
"Account credentials"
],
...
...
lib/pleroma/web/twitter_api/controllers/util_controller.ex
View file @
3961422f
...
...
@@ -81,17 +81,13 @@ def update_notificaton_settings(%{assigns: %{user: user}} = conn, params) do
end
end
def
change_password
(%{
assigns:
%{
user:
user
}}
=
conn
,
%{
password:
password
,
new_password:
new_password
,
new_password_confirmation:
new_password_confirmation
})
do
case
CommonAPI
.
Utils
.
confirm_current_password
(
user
,
password
)
do
def
change_password
(%{
assigns:
%{
user:
user
},
body_params:
body_params
}
=
conn
,
%{})
do
case
CommonAPI
.
Utils
.
confirm_current_password
(
user
,
body_params
.
password
)
do
{
:ok
,
user
}
->
with
{
:ok
,
_user
}
<-
User
.
reset_password
(
user
,
%{
password:
new_password
,
password_confirmation:
new_password_confirmation
password:
body_params
.
new_password
,
password_confirmation:
body_params
.
new_password_confirmation
})
do
json
(
conn
,
%{
status:
"success"
})
else
...
...
test/pleroma/web/twitter_api/util_controller_test.exs
View file @
3961422f
...
...
@@ -356,15 +356,12 @@ test "without permissions", %{conn: conn} do
conn
=
conn
|>
assign
(
:token
,
nil
)
|>
post
(
"/api/pleroma/change_password?
#{
URI
.
encode_query
(%{
password:
"hi"
,
new_password:
"newpass"
,
new_password_confirmation:
"newpass"
}
)
}"
)
|>
put_req_header
(
"content-type"
,
"multipart/form-data"
)
|>
post
(
"/api/pleroma/change_password"
,
%{
"password"
=>
"hi"
,
"new_password"
=>
"newpass"
,
"new_password_confirmation"
=>
"newpass"
})
assert
json_response_and_validate_schema
(
conn
,
403
)
==
%{
"error"
=>
"Insufficient permissions: write:accounts."
...
...
@@ -373,16 +370,13 @@ test "without permissions", %{conn: conn} do
test
"with proper permissions and invalid password"
,
%{
conn:
conn
}
do
conn
=
post
(
conn
,
"/api/pleroma/change_password?
#{
URI
.
encode_query
(%{
password:
"hi"
,
new_password:
"newpass"
,
new_password_confirmation:
"newpass"
}
)
}"
)
conn
|>
put_req_header
(
"content-type"
,
"multipart/form-data"
)
|>
post
(
"/api/pleroma/change_password"
,
%{
"password"
=>
"hi"
,
"new_password"
=>
"newpass"
,
"new_password_confirmation"
=>
"newpass"
})
assert
json_response_and_validate_schema
(
conn
,
200
)
==
%{
"error"
=>
"Invalid password."
}
end
...
...
@@ -392,16 +386,13 @@ test "with proper permissions, valid password and new password and confirmation
conn:
conn
}
do
conn
=
post
(
conn
,
"/api/pleroma/change_password?
#{
URI
.
encode_query
(%{
password:
"test"
,
new_password:
"newpass"
,
new_password_confirmation:
"notnewpass"
}
)
}"
)
conn
|>
put_req_header
(
"content-type"
,
"multipart/form-data"
)
|>
post
(
"/api/pleroma/change_password"
,
%{
"password"
=>
"test"
,
"new_password"
=>
"newpass"
,
"new_password_confirmation"
=>
"notnewpass"
})
assert
json_response_and_validate_schema
(
conn
,
200
)
==
%{
"error"
=>
"New password does not match confirmation."
...
...
@@ -412,12 +403,13 @@ test "with proper permissions, valid password and invalid new password", %{
conn:
conn
}
do
conn
=
post
(
conn
,
"/api/pleroma/change_password?
#{
URI
.
encode_query
(%{
password:
"test"
,
new_password:
""
,
new_password_confirmation:
""
}
)
}"
)
conn
|>
put_req_header
(
"content-type"
,
"multipart/form-data"
)
|>
post
(
"/api/pleroma/change_password"
,
%{
password:
"test"
,
new_password:
""
,
new_password_confirmation:
""
})
assert
json_response_and_validate_schema
(
conn
,
200
)
==
%{
"error"
=>
"New password can't be blank."
...
...
@@ -429,15 +421,15 @@ test "with proper permissions, valid password and matching new password and conf
user:
user
}
do
conn
=
post
(
conn
,
"/api/pleroma/change_password?
#{
URI
.
encode_query
(%{
password:
"test"
,
new_
password:
"
newpass
"
,
new_password
_confirmation
:
"newpass"
}
)
}
"
conn
|>
put_req_header
(
"content-type"
,
"multipart/form-data"
)
|>
post
(
"/api/pleroma/change_password"
,
%{
password:
"
test
"
,
new_password:
"newpass"
,
new_password_confirmation:
"newpass"
}
)
assert
json_response_and_validate_schema
(
conn
,
200
)
==
%{
"status"
=>
"success"
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment