Add the concept of require_fresh_login to both the backend and frontend. Sensitive methods will now be marked with the annotation, which requires that the user has performed a login within 10 minutes or they are asked to do so in the UI before running the operation again.

2014-09-04 14:24:20 -04:00 · 2014-09-04 14:24:20 -04:00 · e783df31e0
commit e783df31e0
parent 1e7e012b92
9 changed files with 174 additions and 61 deletions
--- a/test/test_api_usage.py
+++ b/test/test_api_usage.py
@ -172,14 +172,14 @@ class TestCSRFFailure(ApiTestCase):

    # Make sure a simple post call succeeds.
    self.putJsonResponse(User,
-                         data=dict(password='newpasswordiscool', current_password='password'))    
+                         data=dict(password='newpasswordiscool'))    

    # Change the session's CSRF token.
    self.setCsrfToken('someinvalidtoken')
    
    # Verify that the call now fails.
    self.putJsonResponse(User,
-                         data=dict(password='newpasswordiscool', current_password='password'),
+                         data=dict(password='newpasswordiscool'),
                         expected_code=403)


@ -325,29 +325,15 @@ class TestChangeUserDetails(ApiTestCase):
  def test_changepassword(self):
    self.login(READ_ACCESS_USER)
    self.putJsonResponse(User,
-                         data=dict(password='newpasswordiscool', current_password='password'))
+                         data=dict(password='newpasswordiscool'))
    self.login(READ_ACCESS_USER, password='newpasswordiscool')

-  def test_changepassword_invalidpasswor(self):
-    self.login(READ_ACCESS_USER)
-    self.putJsonResponse(User,
-                         data=dict(password='newpasswordiscool', current_password='notcorrect'),
-                         expected_code=400)
-
  def test_changeeemail(self):
    self.login(READ_ACCESS_USER)

    self.putJsonResponse(User,
-                         data=dict(email='test+foo@devtable.com', current_password='password'))
+                         data=dict(email='test+foo@devtable.com'))

-  def test_changeeemail_invalidpassword(self):
-    self.login(READ_ACCESS_USER)
-
-    self.putJsonResponse(User,
-                         data=dict(email='test+foo@devtable.com', current_password='notcorrect'),
-                         expected_code=400)
-
-    
  def test_changeinvoiceemail(self):
    self.login(READ_ACCESS_USER)