Merge pull request #1693 from edx/flowerhack/fix/password-reset-messages

Fixed password reset message

Merge pull request #1693 from edx/flowerhack/fix/password-reset-messages
Fixed password reset message
bc4ebfdc · Julia Hansbrough · 7a24f203 · 87238e6d · bc4ebfdc · bc4ebfdc
Commit bc4ebfdc authored Nov 19, 2013 by Julia Hansbrough
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 8 deletions

common/djangoapps/student/tests/tests.py
+9 -4

common/djangoapps/student/views.py
+1 -4

No files found.
--- a/common/djangoapps/student/tests/tests.py
+++ b/common/djangoapps/student/tests/tests.py
@@ -59,23 +59,28 @@ class ResetPasswordTests(TestCase):
        self.user_bad_passwd.password = UNUSABLE_PASSWORD
        self.user_bad_passwd.save()
+    @patch('student.views.render_to_string', Mock(side_effect=mock_render_to_string, autospec=True))
    def test_user_bad_password_reset(self):
        """Tests password reset behavior for user with password marked UNUSABLE_PASSWORD"""
        bad_pwd_req = self.request_factory.post('/password_reset/', {'email': self.user_bad_passwd.email})
        bad_pwd_resp = password_reset(bad_pwd_req)
+        # If they've got an unusable password, we return a successful response code
        self.assertEquals(bad_pwd_resp.status_code, 200)
-        self.assertEquals(bad_pwd_resp.content, json.dumps({'success': False,
+        self.assertEquals(bad_pwd_resp.content, json.dumps({'success': True,
-                                                            'error': 'Invalid e-mail or user'}))
+                                                            'value': "('registration/password_reset_done.html', [])"}))
+    @patch('student.views.render_to_string', Mock(side_effect=mock_render_to_string, autospec=True))
    def test_nonexist_email_password_reset(self):
        """Now test the exception cases with of reset_password called with invalid email."""
        bad_email_req = self.request_factory.post('/password_reset/', {'email': self.user.email+"makeItFail"})
        bad_email_resp = password_reset(bad_email_req)
+        # Note: even if the email is bad, we return a successful response code
+        # This prevents someone potentially trying to "brute-force" find out which emails are and aren't registered with edX
        self.assertEquals(bad_email_resp.status_code, 200)
-        self.assertEquals(bad_email_resp.content, json.dumps({'success': False,
+        self.assertEquals(bad_email_resp.content, json.dumps({'success': True,
-                                                              'error': 'Invalid e-mail or user'}))
+                                                              'value': "('registration/password_reset_done.html', [])"}))
    @unittest.skipUnless(not settings.MITX_FEATURES.get('DISABLE_PASSWORD_RESET_EMAIL_TEST', False),
                         dedent("""Skipping Test because CMS has not provided necessary templates for password reset.

--- a/common/djangoapps/student/views.py
+++ b/common/djangoapps/student/views.py
@@ -1229,11 +1229,8 @@ def password_reset(request):
                  from_email=settings.DEFAULT_FROM_EMAIL,
                  request=request,
                  domain_override=request.get_host())
-        return HttpResponse(json.dumps({'success': True,
+    return HttpResponse(json.dumps({'success': True,
                                        'value': render_to_string('registration/password_reset_done.html', {})}))
-    else:
-        return HttpResponse(json.dumps({'success': False,
-                                        'error': _('Invalid e-mail or user')}))
 def password_reset_confirm_wrapper(