mattdrayer/api-userdetailpostfix: Addressed several issues related to updating…

mattdrayer/api-userdetailpostfix: Addressed several issues related to updating user/profile information FInal fix

mattdrayer/api-userdetailpostfix: Addressed several issues related to updating…
mattdrayer/api-userdetailpostfix: Addressed several issues related to updating user/profile information FInal fix
82668c34 · Matt Drayer · Jonathan Piacenti · c907daa4 · 82668c34 · 82668c34
Commit 82668c34 authored May 14, 2014 by Matt Drayer Committed by Jonathan Piacenti Aug 20, 2015
Showing with 66 additions and 5 deletions

lms/djangoapps/api_manager/models.py
+3 -0

lms/djangoapps/api_manager/users/test_user_password_reset.py
+33 -0

lms/djangoapps/api_manager/users/tests.py
+30 -5

lms/djangoapps/api_manager/users/views.py
+0 -0

No files found.
--- a/lms/djangoapps/api_manager/models.py
+++ b/lms/djangoapps/api_manager/models.py
@@ -122,4 +122,7 @@ class CourseContentGroupRelationship(TimeStampedModel):
    record_active = models.BooleanField(default=True)

    class Meta:
+        """
+        Mapping model to enable grouping of course content such as chapters
+        """
        unique_together = ("course_id", "content_id", "group")
--- a/lms/djangoapps/api_manager/users/test_user_password_reset.py
+++ b/lms/djangoapps/api_manager/users/test_user_password_reset.py
@@ -123,6 +123,37 @@ class UserPasswordResetTest(TestCase):
        )
        self._assert_response(response, status=200)

+    @override_settings(ADVANCED_SECURITY_CONFIG={'MIN_DIFFERENT_STAFF_PASSWORDS_BEFORE_REUSE': 20,
+                                                 'MIN_TIME_IN_DAYS_BETWEEN_ALLOWED_RESETS': 0})
+    def test_password_reset_not_allowable_reuse_staff_user(self):
+        """
+        Try resetting staff user password with an already-used password
+        Hits a very specific LOC in the view code
+        """
+        response = self._do_post_request(
+            self.user_url, 'test2', 'Test.Me64!', email='test@edx.org',
+            first_name='John', last_name='Doe', secure=True, is_staff=True
+        )
+        self._assert_response(response, status=201)
+        user_id = response.data['id']
+
+        pass_reset_url = "%s/%s" % (self.user_url, str(user_id))
+
+        response = self._do_post_pass_reset_request(
+            pass_reset_url, password='Test.Me64#', secure=True
+        )
+        self._assert_response(response, status=200)
+
+        response = self._do_post_pass_reset_request(
+            pass_reset_url, password='Test.Me64#', secure=True
+        )
+        message = _(
+            "You are re-using a password that you have used recently. You must "
+            "have 20 distinct password(s) before reusing a previous password."
+        )
+        self._assert_response(response, status=403, message=message)
+
+
    @override_settings(ADVANCED_SECURITY_CONFIG={'MIN_TIME_IN_DAYS_BETWEEN_ALLOWED_RESETS': 1})
    def test_is_password_reset_too_frequent(self):
        """
@@ -202,6 +233,8 @@ class UserPasswordResetTest(TestCase):
            post_params['first_name'] = kwargs.get('first_name')
        if kwargs.get('last_name'):
            post_params['last_name'] = kwargs.get('last_name')
+        if kwargs.get('is_staff'):
+            post_params['is_staff'] = kwargs.get('is_staff')

        headers = {'X-Edx-Api-Key': TEST_API_KEY, 'Content-Type': 'application/json'}
        if kwargs.get('secure', False):

--- a/lms/djangoapps/api_manager/users/tests.py
+++ b/lms/djangoapps/api_manager/users/tests.py
@@ -34,7 +34,8 @@ class SecureClient(Client):

 @override_settings(MODULESTORE=TEST_DATA_MIXED_MODULESTORE)
 @override_settings(EDX_API_KEY=TEST_API_KEY)
-@patch.dict("django.conf.settings.FEATURES", {'ENFORCE_PASSWORD_POLICY': False})
+@override_settings(PASSWORD_MIN_LENGTH=4)
+@patch.dict("django.conf.settings.FEATURES", {'ENFORCE_PASSWORD_POLICY': True})
 class UsersApiTests(TestCase):

    """ Test suite for Users API views """
@@ -144,19 +145,30 @@ class UsersApiTests(TestCase):
    def test_user_detail_post(self):
        test_uri = '/api/users'
        local_username = self.test_username + str(randint(11, 99))
-        data = {'email': self.test_email, 'username': local_username, 'password':
-                self.test_password, 'first_name': self.test_first_name, 'last_name': self.test_last_name}
+        data = {'email': self.test_email,
+                'username': local_username, 'password':self.test_password,
+                'first_name': self.test_first_name, 'last_name': self.test_last_name}
        response = self.do_post(test_uri, data)
+        self.assertEqual(response.status_code, 201)
        test_uri = test_uri + '/' + str(response.data['id'])
-        data = {'is_active': False}
+        auth_data = {'username': local_username, 'password': self.test_password}
+        self.do_post('/api/sessions', auth_data)
+        self.assertEqual(response.status_code, 201)
+        data = {'is_active': False, 'is_staff': True}
        response = self.do_post(test_uri, data)
        self.assertEqual(response.status_code, 200)
        self.assertEqual(response.data['is_active'], False)
+        self.assertEqual(response.data['is_staff'], True)
        response = self.do_get(test_uri)
        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.data['email'], self.test_email)
+        self.assertEqual(response.data['username'], local_username)
+        self.assertEqual(response.data['first_name'], self.test_first_name)
+        self.assertEqual(response.data['last_name'], self.test_last_name)
+        self.assertEqual(response.data['full_name'], '{} {}'.format(self.test_first_name, self.test_last_name))
        self.assertEqual(response.data['is_active'], False)

-    def test_user_detail_post_username(self):
+    def test_user_detail_post_duplicate_username(self):
        """
        Create two users, then pass the same first username in request in order to update username of second user.
        Must return bad request against username, Already exist!
@@ -188,6 +200,19 @@ class UsersApiTests(TestCase):
        self.assertEqual(response.status_code, 400)
        self.assertEqual(response.data['message'], message)

+    def test_user_detail_post_invalid_password(self):
+        test_uri = '/api/users'
+        local_username = self.test_username + str(randint(11, 99))
+        data = {'email': self.test_email,
+                'username': local_username, 'password': self.test_password,
+                'first_name': self.test_first_name, 'last_name': self.test_last_name}
+        response = self.do_post(test_uri, data)
+        self.assertEqual(response.status_code, 201)
+        test_uri = test_uri + '/' + str(response.data['id'])
+        data = {'password': 'x'}
+        response = self.do_post(test_uri, data)
+        self.assertEqual(response.status_code, 400)
+
    def test_user_detail_post_user_profile_added_updated(self):
        """
        Create a user, then add the user profile

--- a/lms/djangoapps/api_manager/users/views.py
+++ b/lms/djangoapps/api_manager/users/views.py