Merge pull request #2879 from bookwyrm-social/reactivation-bug

Don't allow invalid account reactivation
This commit is contained in:
Mouse Reeve 2023-07-20 19:07:18 -07:00 committed by GitHub
commit c4d72829e9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 34 additions and 2 deletions

View file

@ -394,6 +394,8 @@ class User(OrderedCollectionPageMixin, AbstractUser):
def reactivate(self):
"""Now you want to come back, huh?"""
# pylint: disable=attribute-defined-outside-init
if not self.allow_reactivation:
return
self.is_active = True
self.deactivation_reason = None
self.allow_reactivation = False

View file

@ -347,11 +347,17 @@ class RegisterViews(TestCase):
self.settings.save()
self.local_user.is_active = False
self.local_user.allow_reactivation = True
self.local_user.deactivation_reason = "pending"
self.local_user.confirmation_code = "12345"
self.local_user.save(
broadcast=False,
update_fields=["is_active", "deactivation_reason", "confirmation_code"],
update_fields=[
"is_active",
"allow_reactivation",
"deactivation_reason",
"confirmation_code",
],
)
view = views.ConfirmEmailCode.as_view()
request = self.factory.get("")

View file

@ -141,3 +141,24 @@ class DeleteUserViews(TestCase):
self.local_user.refresh_from_db()
self.assertTrue(self.local_user.is_active)
self.assertIsNone(self.local_user.deactivation_reason)
def test_reactivate_user_post_disallowed(self, _):
"""Reactivate action under the wrong circumstances"""
self.local_user.is_active = False
self.local_user.save(broadcast=False)
view = views.ReactivateUser.as_view()
form = forms.LoginForm()
form.data["localname"] = "mouse"
form.data["password"] = "password"
request = self.factory.post("", form.data)
request.user = self.local_user
middleware = SessionMiddleware()
middleware.process_request(request)
request.session.save()
with patch("bookwyrm.views.preferences.delete_user.login"):
view(request)
self.local_user.refresh_from_db()
self.assertFalse(self.local_user.is_active)

View file

@ -74,6 +74,7 @@ class Register(View):
password,
localname=localname,
local=True,
allow_reactivation=settings.require_confirm_email,
deactivation_reason="pending" if settings.require_confirm_email else None,
is_active=not settings.require_confirm_email,
preferred_timezone=preferred_timezone,
@ -105,7 +106,9 @@ class ConfirmEmailCode(View):
# look up the user associated with this code
try:
user = models.User.objects.get(confirmation_code=code)
user = models.User.objects.get(
confirmation_code=code, deactivation_reason="pending"
)
except models.User.DoesNotExist:
return TemplateResponse(
request, "confirm_email/confirm_email.html", {"valid": False}