Skip to content

Commit

Permalink
Merge pull request #267 from ita-social-projects/#ImproveCheckPasswor…
Browse files Browse the repository at this point in the history
…dOnProfileDelete

#Improve check password on profile delete
  • Loading branch information
Lvyshnevska authored Oct 13, 2023
2 parents 5987126 + cb27ec6 commit a8d95ed
Show file tree
Hide file tree
Showing 4 changed files with 24 additions and 14 deletions.
4 changes: 1 addition & 3 deletions authentication/serializers.py
Original file line number Diff line number Diff line change
@@ -1,12 +1,10 @@
from collections import defaultdict

from django.conf import settings
from django.contrib.auth import authenticate, get_user_model
from django.contrib.auth import get_user_model
from django.core.exceptions import ValidationError
from djoser.serializers import (
UserCreatePasswordRetypeSerializer,
UserSerializer,
TokenCreateSerializer,
)
from rest_framework import serializers
from rest_framework.validators import UniqueValidator
Expand Down
10 changes: 10 additions & 0 deletions profiles/serializers.py
Original file line number Diff line number Diff line change
Expand Up @@ -205,6 +205,16 @@ class Meta:
read_only_fields = ("person",)


class ProfileDeleteSerializer(serializers.Serializer):
password = serializers.CharField(write_only=True, required=True)

def validate_password(self, data):
user = self.context["request"].user
if not user.check_password(data):
raise serializers.ValidationError("Invalid password")
return data


class ProfileSensitiveDataROSerializer(serializers.ModelSerializer):
email = serializers.ReadOnlyField(source="person.email")

Expand Down
8 changes: 8 additions & 0 deletions profiles/tests/test_crud_profile.py
Original file line number Diff line number Diff line change
Expand Up @@ -397,6 +397,10 @@ def test_delete_profile_authorized_with_wrong_password(self):
data={"password": "Test5678"},
)
self.assertEqual(status.HTTP_400_BAD_REQUEST, response.status_code)
self.assertEqual(
{"password": ["Invalid password"]},
response.json(),
)

def test_delete_profile_authorized_without_password(self):
self.client.force_authenticate(self.user)
Expand All @@ -408,6 +412,10 @@ def test_delete_profile_authorized_without_password(self):
)
)
self.assertEqual(status.HTTP_400_BAD_REQUEST, response.status_code)
self.assertEqual(
{"password": ["This field is required."]},
response.json(),
)

def test_delete_profile_of_other_user_authorized(self):
self.user.set_password("Test1234")
Expand Down
16 changes: 5 additions & 11 deletions profiles/views.py
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
import django_filters
from django.shortcuts import get_object_or_404
from django.contrib.auth.hashers import check_password
from rest_framework import status
from rest_framework.generics import (
CreateAPIView,
Expand Down Expand Up @@ -34,6 +33,7 @@
ProfileDetailSerializer,
ProfileOwnerDetailViewSerializer,
ProfileOwnerDetailEditSerializer,
ProfileDeleteSerializer,
CategorySerializer,
ActivitySerializer,
RegionSerializer,
Expand Down Expand Up @@ -172,20 +172,14 @@ def get_serializer_class(self):
if get_contacts
else ProfileDetailSerializer
)
elif self.request.method == "DELETE":
return ProfileDeleteSerializer
else:
return ProfileOwnerDetailEditSerializer

def destroy(self, request, *args, **kwargs):
instance = self.get_object()
user = self.request.user
password = self.request.data.get("password")
if not password or not check_password(password, user.password):
return Response(status=status.HTTP_400_BAD_REQUEST)
else:
self.perform_destroy(instance)
return Response(status=status.HTTP_204_NO_CONTENT)

def perform_destroy(self, instance):
serializer = self.get_serializer(data=self.request.data)
serializer.is_valid(raise_exception=True)
instance.is_deleted = True
instance.save()

Expand Down

0 comments on commit a8d95ed

Please sign in to comment.