commit: d1a6f67b1d92e17f4fe3cfc8f296879326897220
parent: 0ab03e856480c35ce9478d086f103b396a8e7453
Author: feld <feld@feld.me>
Date: Wed, 2 Sep 2020 17:11:24 +0000
Merge branch 'fix/2095-deactivated-account-reset' into 'develop'
Disallow password resets for deactivated accounts
Closes #2095
See merge request pleroma/pleroma!2935
Diffstat:
4 files changed, 24 insertions(+), 28 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
- Mastodon API: Search parameter `following` now correctly returns the followings rather than the followers
- Mastodon API: Timelines hanging for (`number of posts with links * rich media timeout`) in the worst case.
Reduced to just rich media timeout.
+- Password resets no longer processed for deactivated accounts
## [2.1.0] - 2020-08-28
diff --git a/lib/pleroma/web/mastodon_api/controllers/auth_controller.ex b/lib/pleroma/web/mastodon_api/controllers/auth_controller.ex
@@ -59,17 +59,11 @@ defmodule Pleroma.Web.MastodonAPI.AuthController do
def password_reset(conn, params) do
nickname_or_email = params["email"] || params["nickname"]
- with {:ok, _} <- TwitterAPI.password_reset(nickname_or_email) do
- conn
- |> put_status(:no_content)
- |> json("")
- else
- {:error, "unknown user"} ->
- send_resp(conn, :not_found, "")
-
- {:error, _} ->
- send_resp(conn, :bad_request, "")
- end
+ TwitterAPI.password_reset(nickname_or_email)
+
+ conn
+ |> put_status(:no_content)
+ |> json("")
end
defp local_mastodon_root_path(conn) do
diff --git a/lib/pleroma/web/twitter_api/twitter_api.ex b/lib/pleroma/web/twitter_api/twitter_api.ex
@@ -72,7 +72,7 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPI do
def password_reset(nickname_or_email) do
with true <- is_binary(nickname_or_email),
- %User{local: true, email: email} = user when is_binary(email) <-
+ %User{local: true, email: email, deactivated: false} = user when is_binary(email) <-
User.get_by_nickname_or_email(nickname_or_email),
{:ok, token_record} <- Pleroma.PasswordResetToken.create_token(user) do
user
@@ -81,17 +81,8 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPI do
{:ok, :enqueued}
else
- false ->
- {:error, "bad user identifier"}
-
- %User{local: true, email: nil} ->
+ _ ->
{:ok, :noop}
-
- %User{local: false} ->
- {:error, "remote user"}
-
- nil ->
- {:error, "unknown user"}
end
end
diff --git a/test/web/mastodon_api/controllers/auth_controller_test.exs b/test/web/mastodon_api/controllers/auth_controller_test.exs
@@ -122,17 +122,27 @@ defmodule Pleroma.Web.MastodonAPI.AuthControllerTest do
{:ok, user: user}
end
- test "it returns 404 when user is not found", %{conn: conn, user: user} do
+ test "it returns 204 when user is not found", %{conn: conn, user: user} do
conn = post(conn, "/auth/password?email=nonexisting_#{user.email}")
- assert conn.status == 404
- assert conn.resp_body == ""
+
+ assert conn
+ |> json_response(:no_content)
end
- test "it returns 400 when user is not local", %{conn: conn, user: user} do
+ test "it returns 204 when user is not local", %{conn: conn, user: user} do
{:ok, user} = Repo.update(Ecto.Changeset.change(user, local: false))
conn = post(conn, "/auth/password?email=#{user.email}")
- assert conn.status == 400
- assert conn.resp_body == ""
+
+ assert conn
+ |> json_response(:no_content)
+ end
+
+ test "it returns 204 when user is deactivated", %{conn: conn, user: user} do
+ {:ok, user} = Repo.update(Ecto.Changeset.change(user, deactivated: true, local: true))
+ conn = post(conn, "/auth/password?email=#{user.email}")
+
+ assert conn
+ |> json_response(:no_content)
end
end
