Disallow password resets for deactivated accounts.

author Mark Felder <feld@FreeBSD.org>

Wed, 2 Sep 2020 14:09:13 +0000 (09:09 -0500)

committer Mark Felder <feld@FreeBSD.org>

Wed, 2 Sep 2020 14:09:13 +0000 (09:09 -0500)
author Mark Felder <feld@FreeBSD.org>
Wed, 2 Sep 2020 14:09:13 +0000 (09:09 -0500)
committer Mark Felder <feld@FreeBSD.org>
Wed, 2 Sep 2020 14:09:13 +0000 (09:09 -0500)
diff --git a/CHANGELOG.md b/CHANGELOG.md

index 54685cfb8d64c3fe687589978f80fc9569051ad7..cdd5b94a8038f0fdc1c7bda897e8cde05a70f478 100644 (file)
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
  - Mastodon API: Search parameter `following` now correctly returns the followings rather than the followers
  - Mastodon API: Timelines hanging for (`number of posts with links * rich media timeout`) in the worst case.
    Reduced to just rich media timeout.
+- Password resets no longer processed for deactivated accounts
  
  ## [2.1.0] - 2020-08-28
  
diff --git a/lib/pleroma/web/mastodon_api/controllers/auth_controller.ex b/lib/pleroma/web/mastodon_api/controllers/auth_controller.ex

index 753b3db3ef9c9cfdd93081b038cadcef9290e6ae..9f09550e1c97e372f1e812a336c46243d68e7fac 100644 (file)
--- a/lib/pleroma/web/mastodon_api/controllers/auth_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/auth_controller.ex
@@ -59,17 +59,11 @@ defmodule Pleroma.Web.MastodonAPI.AuthController do
    def password_reset(conn, params) do
      nickname_or_email = params["email"] || params["nickname"]
  
-    with {:ok, _} <- TwitterAPI.password_reset(nickname_or_email) do
-      conn
-      |> put_status(:no_content)
-      |> json("")
-    else
-      {:error, "unknown user"} ->
-        send_resp(conn, :not_found, "")
-
-      {:error, _} ->
-        send_resp(conn, :bad_request, "")
-    end
+    TwitterAPI.password_reset(nickname_or_email)
+
+    conn
+    |> put_status(:no_content)
+    |> json("")
    end
  
    defp local_mastodon_root_path(conn) do
diff --git a/lib/pleroma/web/twitter_api/twitter_api.ex b/lib/pleroma/web/twitter_api/twitter_api.ex

index 2294d9d0dd82f800cc9e88c383d6a19beee3c330..5d79485071487c89188caebef6a1158870c1254c 100644 (file)
--- a/lib/pleroma/web/twitter_api/twitter_api.ex
+++ b/lib/pleroma/web/twitter_api/twitter_api.ex
@@ -72,7 +72,7 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPI do
  
    def password_reset(nickname_or_email) do
      with true <- is_binary(nickname_or_email),
-         %User{local: true, email: email} = user when is_binary(email) <-
+         %User{local: true, email: email, deactivated: false} = user when is_binary(email) <-
             User.get_by_nickname_or_email(nickname_or_email),
           {:ok, token_record} <- Pleroma.PasswordResetToken.create_token(user) do
        user
@@ -81,17 +81,8 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPI do
  
        {:ok, :enqueued}
      else
-      false ->
-        {:error, "bad user identifier"}
-
-      %User{local: true, email: nil} ->
+      _ ->
          {:ok, :noop}
-
-      %User{local: false} ->
-        {:error, "remote user"}
-
-      nil ->
-        {:error, "unknown user"}
      end
    end
  
diff --git a/test/web/mastodon_api/controllers/auth_controller_test.exs b/test/web/mastodon_api/controllers/auth_controller_test.exs

index a485f8e417c981551b75529eac40a468c0ec6f8d..4fa95fce1ca464f35d26adfc07d455b1d6b84215 100644 (file)
--- a/test/web/mastodon_api/controllers/auth_controller_test.exs
+++ b/test/web/mastodon_api/controllers/auth_controller_test.exs
@@ -122,17 +122,27 @@ defmodule Pleroma.Web.MastodonAPI.AuthControllerTest do
        {:ok, user: user}
      end
  
-    test "it returns 404 when user is not found", %{conn: conn, user: user} do
+    test "it returns 204 when user is not found", %{conn: conn, user: user} do
        conn = post(conn, "/auth/password?email=nonexisting_#{user.email}")
-      assert conn.status == 404
-      assert conn.resp_body == ""
+
+      assert conn
+             |> json_response(:no_content)
      end
  
-    test "it returns 400 when user is not local", %{conn: conn, user: user} do
+    test "it returns 204 when user is not local", %{conn: conn, user: user} do
        {:ok, user} = Repo.update(Ecto.Changeset.change(user, local: false))
        conn = post(conn, "/auth/password?email=#{user.email}")
-      assert conn.status == 400
-      assert conn.resp_body == ""
+
+      assert conn
+             |> json_response(:no_content)
+    end
+
+    test "it returns 204 when user is deactivated", %{conn: conn, user: user} do
+      {:ok, user} = Repo.update(Ecto.Changeset.change(user, deactivated: true, local: true))
+      conn = post(conn, "/auth/password?email=#{user.email}")
+
+      assert conn
+             |> json_response(:no_content)
      end
    end
author	Mark Felder <feld@FreeBSD.org>
	Wed, 2 Sep 2020 14:09:13 +0000 (09:09 -0500)
committer	Mark Felder <feld@FreeBSD.org>
	Wed, 2 Sep 2020 14:09:13 +0000 (09:09 -0500)
CHANGELOG.md		patch \| blob \| history
lib/pleroma/web/mastodon_api/controllers/auth_controller.ex		patch \| blob \| history
lib/pleroma/web/twitter_api/twitter_api.ex		patch \| blob \| history
test/web/mastodon_api/controllers/auth_controller_test.exs		patch \| blob \| history