Skip to content

Commit 053f3d9

Browse files
didi
committed
Make verify_email require Authenticated principal
1 parent 9e8a230 commit 053f3d9

File tree

2 files changed

+32
-25
lines changed

2 files changed

+32
-25
lines changed

tests/unit/accounts/test_views.py

Lines changed: 22 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@
1818
import pytest
1919

2020
from pyramid.httpexceptions import HTTPMovedPermanently, HTTPSeeOther
21+
from sqlalchemy.orm.exc import NoResultFound
2122

2223
from warehouse.accounts import views
2324
from warehouse.accounts.interfaces import (
@@ -691,7 +692,9 @@ def test_reset_password_password_date_changed(self, pyramid_request):
691692
class TestVerifyEmail:
692693

693694
def test_verify_email(self, db_request, user_service, token_service):
694-
email = EmailFactory(verified=False)
695+
user = UserFactory()
696+
email = EmailFactory(user=user, verified=False)
697+
db_request.user = user
695698
db_request.GET.update({"token": "RANDOM_KEY"})
696699
db_request.route_path = pretend.call_recorder(lambda name: "/")
697700
token_service.loads = pretend.call_recorder(
@@ -788,7 +791,7 @@ def test_verify_email_invalid_action(self, pyramid_request):
788791
),
789792
]
790793

791-
def test_verify_email_invalid_email(self, pyramid_request):
794+
def test_verify_email_not_found(self, pyramid_request):
792795
data = {
793796
'action': 'email-verify',
794797
'email.id': 'invalid',
@@ -801,10 +804,11 @@ def test_verify_email_invalid_email(self, pyramid_request):
801804
pyramid_request.session.flash = pretend.call_recorder(
802805
lambda *a, **kw: None
803806
)
804-
get = pretend.call_recorder(lambda a: None)
805-
pyramid_request.db = pretend.stub(
806-
query=lambda a: pretend.stub(get=get)
807-
)
807+
808+
def raise_no_result(*a):
809+
raise NoResultFound
810+
811+
pyramid_request.db = pretend.stub(query=raise_no_result)
808812

809813
views.verify_email(pyramid_request)
810814

@@ -814,35 +818,32 @@ def test_verify_email_invalid_email(self, pyramid_request):
814818
assert pyramid_request.session.flash.calls == [
815819
pretend.call('Email not found', queue='error')
816820
]
817-
assert get.calls == [pretend.call(data['email.id'])]
818821

819-
def test_verify_email_already_verified(self, pyramid_request):
822+
def test_verify_email_already_verified(self, db_request):
823+
user = UserFactory()
824+
email = EmailFactory(user=user, verified=True)
820825
data = {
821826
'action': 'email-verify',
822-
'email.id': 'valid',
827+
'email.id': email.id,
823828
}
824-
pyramid_request.find_service = (
829+
db_request.user = user
830+
db_request.find_service = (
825831
lambda *a, **kw: pretend.stub(loads=lambda a: data)
826832
)
827-
pyramid_request.params = {"token": "RANDOM_KEY"}
828-
pyramid_request.route_path = pretend.call_recorder(lambda name: "/")
829-
pyramid_request.session.flash = pretend.call_recorder(
833+
db_request.params = {"token": "RANDOM_KEY"}
834+
db_request.route_path = pretend.call_recorder(lambda name: "/")
835+
db_request.session.flash = pretend.call_recorder(
830836
lambda *a, **kw: None
831837
)
832-
get = pretend.call_recorder(lambda a: pretend.stub(verified=True))
833-
pyramid_request.db = pretend.stub(
834-
query=lambda a: pretend.stub(get=get)
835-
)
836838

837-
views.verify_email(pyramid_request)
839+
views.verify_email(db_request)
838840

839-
assert pyramid_request.route_path.calls == [
841+
assert db_request.route_path.calls == [
840842
pretend.call('manage.profile'),
841843
]
842-
assert pyramid_request.session.flash.calls == [
844+
assert db_request.session.flash.calls == [
843845
pretend.call('Email already verified', queue='error')
844846
]
845-
assert get.calls == [pretend.call(data['email.id'])]
846847

847848

848849
class TestProfileCallout:

warehouse/accounts/views.py

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -17,9 +17,10 @@
1717
from pyramid.httpexceptions import (
1818
HTTPMovedPermanently, HTTPSeeOther, HTTPTooManyRequests,
1919
)
20-
from pyramid.security import remember, forget
20+
from pyramid.security import Authenticated, remember, forget
2121
from pyramid.view import view_config
2222
from sqlalchemy.orm import joinedload
23+
from sqlalchemy.orm.exc import NoResultFound
2324

2425
from warehouse.accounts import REDIRECT_FIELD_NAME
2526
from warehouse.accounts.forms import (
@@ -341,6 +342,7 @@ def _error(message):
341342
@view_config(
342343
route_name="accounts.verify-email",
343344
uses_session=True,
345+
effective_principals=Authenticated,
344346
)
345347
def verify_email(request):
346348
token_service = request.find_service(ITokenService, name="email")
@@ -363,9 +365,13 @@ def _error(message):
363365
if data.get('action') != "email-verify":
364366
return _error("Invalid token - Not an email verification token")
365367

366-
email = request.db.query(Email).get(data['email.id'])
367-
368-
if not email:
368+
try:
369+
email = (
370+
request.db.query(Email)
371+
.filter(Email.id == data['email.id'], Email.user == request.user)
372+
.one()
373+
)
374+
except NoResultFound:
369375
return _error("Email not found")
370376

371377
if email.verified:

0 commit comments

Comments
 (0)