Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

#Improve check password on profile delete #267

Merged
merged 8 commits into from
Oct 13, 2023
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 1 addition & 3 deletions authentication/serializers.py
Original file line number Diff line number Diff line change
@@ -1,12 +1,10 @@
from collections import defaultdict

from django.conf import settings
from django.contrib.auth import authenticate, get_user_model
from django.contrib.auth import get_user_model
from django.core.exceptions import ValidationError
from djoser.serializers import (
UserCreatePasswordRetypeSerializer,
UserSerializer,
TokenCreateSerializer,
)
from rest_framework import serializers
from rest_framework.validators import UniqueValidator
Expand Down
9 changes: 9 additions & 0 deletions profiles/serializers.py
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,15 @@ class Meta:
)
read_only_fields = ("person",)

def validate_for_delete(self, data):
password = data.get("password")
if not password:
raise serializers.ValidationError("Password is required")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just write required=True in the serializer field, and there will be no need to make it 'manually'.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

user = self.context["request"].user
if not user.check_password(password):
raise serializers.ValidationError("Invalid password")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not exactly correct. There should be a field name, + probably validation error should not be a string, but a list of strings (with one string in the list).

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This code is outdated. Here is how code looks like now:
if not user.check_password(password):
raise serializers.ValidationError({"password": "Invalid password"})

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Replaced with field validation.

return data


class ProfileSensitiveDataROSerializer(serializers.ModelSerializer):
email = serializers.ReadOnlyField(source="person.email")
Expand Down
18 changes: 5 additions & 13 deletions profiles/views.py
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
import django_filters
from django.shortcuts import get_object_or_404
from django.contrib.auth.hashers import check_password
from rest_framework import status
from rest_framework.generics import (
CreateAPIView,
Expand Down Expand Up @@ -175,19 +174,12 @@ def get_serializer_class(self):
else:
return ProfileOwnerDetailEditSerializer

def destroy(self, request, *args, **kwargs):
instance = self.get_object()
user = self.request.user
password = self.request.data.get("password")
if not password or not check_password(password, user.password):
return Response(status=status.HTTP_400_BAD_REQUEST)
else:
self.perform_destroy(instance)
return Response(status=status.HTTP_204_NO_CONTENT)

def perform_destroy(self, instance):
instance.is_deleted = True
instance.save()
request_data = {"password": self.request.data.get("password")}
serializer = self.get_serializer(instance)
if serializer.validate_for_delete(request_data):
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we manually call the validation method?

Write the validation method. Use it on serializer field. DRF will care about the rest.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

instance.is_deleted = True
instance.save()
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

def perform_destroy(self, instance):
    instance.is_deleted = True
    instance.save()

↑ woudn't it be enough?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The serializer is not engaging in this case.



class ViewedCompanyList(ListCreateAPIView):
Expand Down
Loading