Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

#Improve check password on profile delete #267

Merged
merged 8 commits into from
Oct 13, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 1 addition & 3 deletions authentication/serializers.py
Original file line number Diff line number Diff line change
@@ -1,12 +1,10 @@
from collections import defaultdict

from django.conf import settings
from django.contrib.auth import authenticate, get_user_model
from django.contrib.auth import get_user_model
from django.core.exceptions import ValidationError
from djoser.serializers import (
UserCreatePasswordRetypeSerializer,
UserSerializer,
TokenCreateSerializer,
)
from rest_framework import serializers
from rest_framework.validators import UniqueValidator
Expand Down
10 changes: 10 additions & 0 deletions profiles/serializers.py
Original file line number Diff line number Diff line change
Expand Up @@ -205,6 +205,16 @@ class Meta:
read_only_fields = ("person",)


class ProfileDeleteSerializer(serializers.Serializer):
password = serializers.CharField(write_only=True, required=True)

def validate_password(self, data):
user = self.context["request"].user
if not user.check_password(data):
raise serializers.ValidationError("Invalid password")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not exactly correct. There should be a field name, + probably validation error should not be a string, but a list of strings (with one string in the list).

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This code is outdated. Here is how code looks like now:
if not user.check_password(password):
raise serializers.ValidationError({"password": "Invalid password"})

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Replaced with field validation.

return data


class ProfileSensitiveDataROSerializer(serializers.ModelSerializer):
email = serializers.ReadOnlyField(source="person.email")

Expand Down
8 changes: 8 additions & 0 deletions profiles/tests/test_crud_profile.py
Original file line number Diff line number Diff line change
Expand Up @@ -397,6 +397,10 @@ def test_delete_profile_authorized_with_wrong_password(self):
data={"password": "Test5678"},
)
self.assertEqual(status.HTTP_400_BAD_REQUEST, response.status_code)
self.assertEqual(
{"password": ["Invalid password"]},
response.json(),
)

def test_delete_profile_authorized_without_password(self):
self.client.force_authenticate(self.user)
Expand All @@ -408,6 +412,10 @@ def test_delete_profile_authorized_without_password(self):
)
)
self.assertEqual(status.HTTP_400_BAD_REQUEST, response.status_code)
self.assertEqual(
{"password": ["This field is required."]},
response.json(),
)

def test_delete_profile_of_other_user_authorized(self):
self.user.set_password("Test1234")
Expand Down
16 changes: 5 additions & 11 deletions profiles/views.py
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
import django_filters
from django.shortcuts import get_object_or_404
from django.contrib.auth.hashers import check_password
from rest_framework import status
from rest_framework.generics import (
CreateAPIView,
Expand Down Expand Up @@ -34,6 +33,7 @@
ProfileDetailSerializer,
ProfileOwnerDetailViewSerializer,
ProfileOwnerDetailEditSerializer,
ProfileDeleteSerializer,
CategorySerializer,
ActivitySerializer,
RegionSerializer,
Expand Down Expand Up @@ -172,20 +172,14 @@ def get_serializer_class(self):
if get_contacts
else ProfileDetailSerializer
)
elif self.request.method == "DELETE":
return ProfileDeleteSerializer
else:
return ProfileOwnerDetailEditSerializer

def destroy(self, request, *args, **kwargs):
instance = self.get_object()
user = self.request.user
password = self.request.data.get("password")
if not password or not check_password(password, user.password):
return Response(status=status.HTTP_400_BAD_REQUEST)
else:
self.perform_destroy(instance)
return Response(status=status.HTTP_204_NO_CONTENT)

def perform_destroy(self, instance):
serializer = self.get_serializer(data=self.request.data)
serializer.is_valid(raise_exception=True)
instance.is_deleted = True
instance.save()

Expand Down
Loading