globuzma/canaille-globuzma
1
0
Fork 0
forked from Github-Mirrors/canaille
Code Pull requests Activity

Customizable error message for invalid login in forgotten login page. #48

Browse source
This commit is contained in:
Éloi Rivard 2021-01-01 13:55:20 +01:00
parent 9cf81b6be6
commit c01b587759
2 changed files with 26 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
canaille/forms.py
View file

@ -43,6 +43,14 @@ class ForgottenPasswordForm(FlaskForm):
}, },
) )
def validate_login(self, field):
if current_app.config.get("HIDE_INVALID_LOGINS", False) and not User.get(
field.data
):
raise wtforms.ValidationError(
_("The login '{login}' does not exist").format(login=field.data)
)
class PasswordResetForm(FlaskForm): class PasswordResetForm(FlaskForm):
password = wtforms.PasswordField( password = wtforms.PasswordField(

26
tests/test_account.py
View file

@ -107,11 +107,21 @@ def test_password_forgotten_invalid_form(SMTP, testclient, slapd_connection, use
@mock.patch("smtplib.SMTP") @mock.patch("smtplib.SMTP")
def test_password_forgotten_invalid(SMTP, testclient, slapd_connection, user): def test_password_forgotten_invalid(SMTP, testclient, slapd_connection, user):
testclient.app.config["HIDE_INVALID_LOGINS"] = False
res = testclient.get("/reset", status=200) res = testclient.get("/reset", status=200)
res.form["login"] = "i-dont-really-exist" res.form["login"] = "i-dont-really-exist"
res = res.form.submit(status=200) res = res.form.submit(status=200)
assert "A password reset link has been sent at your email address." in res.text assert "A password reset link has been sent at your email address." in res.text
assert "The login 'i-dont-really-exist' does not exist" not in res.text
testclient.app.config["HIDE_INVALID_LOGINS"] = True
res = testclient.get("/reset", status=200)
res.form["login"] = "i-dont-really-exist"
res = res.form.submit(status=200)
assert "A password reset link has been sent at your email address." not in res.text
assert "The login 'i-dont-really-exist' does not exist" in res.text
SMTP.assert_not_called() SMTP.assert_not_called()
@ -209,14 +219,6 @@ def test_impersonate(testclient, slapd_connection, logged_admin, user):
def test_wrong_login(testclient, slapd_connection, user): def test_wrong_login(testclient, slapd_connection, user):
testclient.app.config["HIDE_INVALID_LOGINS"] = True
res = testclient.get("/login", status=200)
res.form["login"] = "invalid"
res.form["password"] = "incorrect horse"
res = res.form.submit(status=200)
assert "The login 'invalid' does not exist" in res.text
testclient.app.config["HIDE_INVALID_LOGINS"] = False testclient.app.config["HIDE_INVALID_LOGINS"] = False
res = testclient.get("/login", status=200) res = testclient.get("/login", status=200)
@ -224,3 +226,11 @@ def test_wrong_login(testclient, slapd_connection, user):
res.form["password"] = "incorrect horse" res.form["password"] = "incorrect horse"
res = res.form.submit(status=200) res = res.form.submit(status=200)
assert "The login 'invalid' does not exist" not in res.text assert "The login 'invalid' does not exist" not in res.text
testclient.app.config["HIDE_INVALID_LOGINS"] = True
res = testclient.get("/login", status=200)
res.form["login"] = "invalid"
res.form["password"] = "incorrect horse"
res = res.form.submit(status=200)
assert "The login 'invalid' does not exist" in res.text