From 888ec17538e990f329dfc04c94284fe74d5578ab Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Tue, 10 Nov 2015 15:41:19 -0500 Subject: [PATCH] Recover by email needs to allow anon access to its endpoints --- endpoints/api/user.py | 1 + endpoints/web.py | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/endpoints/api/user.py b/endpoints/api/user.py index 0f21273b3..1801598f7 100644 --- a/endpoints/api/user.py +++ b/endpoints/api/user.py @@ -643,6 +643,7 @@ class Recovery(ApiResource): } @nickname('requestRecoveryEmail') + @anon_allowed @validate_json_request('RequestRecovery') def post(self): """ Request a password recovery email.""" diff --git a/endpoints/web.py b/endpoints/web.py index ac2bf4dce..0fa19ef9b 100644 --- a/endpoints/web.py +++ b/endpoints/web.py @@ -19,7 +19,7 @@ from util.invoice import renderInvoiceToPdf from util.seo import render_snapshot from util.cache import no_cache from endpoints.common import common_login, render_page_template, route_show_if, param_required -from endpoints.decorators import anon_protect +from endpoints.decorators import anon_protect, anon_allowed from endpoints.csrf import csrf_protect, generate_csrf_token, verify_csrf from buildtrigger.customhandler import CustomBuildTrigger @@ -366,6 +366,7 @@ def confirm_repo_email(): @web.route('/confirm', methods=['GET']) @route_show_if(features.MAILING) +@anon_allowed def confirm_email(): code = request.values['code'] user = None @@ -386,6 +387,8 @@ def confirm_email(): @web.route('/recovery', methods=['GET']) +@route_show_if(features.MAILING) +@anon_allowed def confirm_recovery(): code = request.values['code'] user = model.user.validate_reset_code(code)