Merge pull request #2879 from bookwyrm-social/reactivation-bug

Don't allow invalid account reactivation
2024-05-23 10:48:07 +00:00 · 2023-07-20 19:07:18 -07:00 · 2023-07-20 19:07:18 -07:00 · c4d72829e9
parent c947360da8 0832a2fa8e
commit c4d72829e9
4 changed files with 34 additions and 2 deletions
--- a/bookwyrm/models/user.py
+++ b/bookwyrm/models/user.py
@ -394,6 +394,8 @@ class User(OrderedCollectionPageMixin, AbstractUser):
    def reactivate(self):
        """Now you want to come back, huh?"""
        # pylint: disable=attribute-defined-outside-init
+        if not self.allow_reactivation:
+            return
        self.is_active = True
        self.deactivation_reason = None
        self.allow_reactivation = False
--- a/bookwyrm/tests/views/landing/test_register.py
+++ b/bookwyrm/tests/views/landing/test_register.py
@ -347,11 +347,17 @@ class RegisterViews(TestCase):
        self.settings.save()

        self.local_user.is_active = False
+        self.local_user.allow_reactivation = True
        self.local_user.deactivation_reason = "pending"
        self.local_user.confirmation_code = "12345"
        self.local_user.save(
            broadcast=False,
-            update_fields=["is_active", "deactivation_reason", "confirmation_code"],
+            update_fields=[
+                "is_active",
+                "allow_reactivation",
+                "deactivation_reason",
+                "confirmation_code",
+            ],
        )
        view = views.ConfirmEmailCode.as_view()
        request = self.factory.get("")
--- a/bookwyrm/tests/views/preferences/test_delete_user.py
+++ b/bookwyrm/tests/views/preferences/test_delete_user.py
@ -141,3 +141,24 @@ class DeleteUserViews(TestCase):
        self.local_user.refresh_from_db()
        self.assertTrue(self.local_user.is_active)
        self.assertIsNone(self.local_user.deactivation_reason)
+
+    def test_reactivate_user_post_disallowed(self, _):
+        """Reactivate action under the wrong circumstances"""
+        self.local_user.is_active = False
+        self.local_user.save(broadcast=False)
+
+        view = views.ReactivateUser.as_view()
+        form = forms.LoginForm()
+        form.data["localname"] = "mouse"
+        form.data["password"] = "password"
+        request = self.factory.post("", form.data)
+        request.user = self.local_user
+        middleware = SessionMiddleware()
+        middleware.process_request(request)
+        request.session.save()
+
+        with patch("bookwyrm.views.preferences.delete_user.login"):
+            view(request)
+
+        self.local_user.refresh_from_db()
+        self.assertFalse(self.local_user.is_active)
--- a/bookwyrm/views/landing/register.py
+++ b/bookwyrm/views/landing/register.py
@ -74,6 +74,7 @@ class Register(View):
            password,
            localname=localname,
            local=True,
+            allow_reactivation=settings.require_confirm_email,
            deactivation_reason="pending" if settings.require_confirm_email else None,
            is_active=not settings.require_confirm_email,
            preferred_timezone=preferred_timezone,
@ -105,7 +106,9 @@ class ConfirmEmailCode(View):

        # look up the user associated with this code
        try:
-            user = models.User.objects.get(confirmation_code=code)
+            user = models.User.objects.get(
+                confirmation_code=code, deactivation_reason="pending"
+            )
        except models.User.DoesNotExist:
            return TemplateResponse(
                request, "confirm_email/confirm_email.html", {"valid": False}