Browse Source
TwitterAPI: Make change_email require body params instead of query
Backport of: https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3503stable^2
Haelwenn (lanodan) Monnier
2 years ago
No known key found for this signature in database
GPG Key ID: D5B7A8E43C997DEE
4 changed files with 39 additions and 39 deletions
Split View
Diff Options
-
+1 -1CHANGELOG.md
-
+14 -5lib/pleroma/web/api_spec/operations/twitter_util_operation.ex
-
+3 -3lib/pleroma/web/twitter_api/controllers/util_controller.ex
-
+21 -30test/pleroma/web/twitter_api/util_controller_test.exs
+ 1
- 1
CHANGELOG.md
View File
| @@ -19,7 +19,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). | |||
| ### Fixed | |||
| - MastodonAPI: Stream out Create activities | |||
| - MRF ObjectAgePolicy: Fix pattern matching on "published" | |||
| - TwitterAPI: Make `change_password` require params on body instead of query | |||
| - TwitterAPI: Make `change_password` and `change_email` require params on body instead of query | |||
| ## 2.4.0 - 2021-08-08 | |||
+ 14
- 5
lib/pleroma/web/api_spec/operations/twitter_util_operation.ex
View File
| @@ -101,11 +101,7 @@ defmodule Pleroma.Web.ApiSpec.TwitterUtilOperation do | |||
| summary: "Change account email", | |||
| security: [%{"oAuth" => ["write:accounts"]}], | |||
| operationId: "UtilController.change_email", | |||
| parameters: [ | |||
| Operation.parameter(:password, :query, :string, "Current password", required: true), | |||
| Operation.parameter(:email, :query, :string, "New email", required: true) | |||
| ], | |||
| requestBody: nil, | |||
| requestBody: request_body("Parameters", change_email_request(), required: true), | |||
| responses: %{ | |||
| 200 => | |||
| Operation.response("Success", "application/json", %Schema{ | |||
| @@ -118,6 +114,19 @@ defmodule Pleroma.Web.ApiSpec.TwitterUtilOperation do | |||
| } | |||
| end | |||
| defp change_email_request do | |||
| %Schema{ | |||
| title: "ChangeEmailRequest", | |||
| description: "POST body for changing the account's email", | |||
| type: :object, | |||
| required: [:email, :password], | |||
| properties: %{ | |||
| email: %Schema{type: :string, description: "New email"}, | |||
| password: %Schema{type: :string, description: "Current password"} | |||
| } | |||
| } | |||
| end | |||
| def update_notificaton_settings_operation do | |||
| %Operation{ | |||
| tags: ["Accounts"], | |||
+ 3
- 3
lib/pleroma/web/twitter_api/controllers/util_controller.ex
View File
| @@ -104,10 +104,10 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do | |||
| end | |||
| end | |||
| def change_email(%{assigns: %{user: user}} = conn, %{password: password, email: email}) do | |||
| case CommonAPI.Utils.confirm_current_password(user, password) do | |||
| def change_email(%{assigns: %{user: user}, body_params: body_params} = conn, %{}) do | |||
| case CommonAPI.Utils.confirm_current_password(user, body_params.password) do | |||
| {:ok, user} -> | |||
| with {:ok, _user} <- User.change_email(user, email) do | |||
| with {:ok, _user} <- User.change_email(user, body_params.email) do | |||
| json(conn, %{status: "success"}) | |||
| else | |||
| {:error, changeset} -> | |||
+ 21
- 30
test/pleroma/web/twitter_api/util_controller_test.exs
View File
| @@ -261,11 +261,8 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do | |||
| conn = | |||
| conn | |||
| |> assign(:token, nil) | |||
| |> post( | |||
| "/api/pleroma/change_email?#{ | |||
| URI.encode_query(%{password: "hi", email: "test@test.com"}) | |||
| }" | |||
| ) | |||
| |> put_req_header("content-type", "multipart/form-data") | |||
| |> post("/api/pleroma/change_email", %{password: "hi", email: "test@test.com"}) | |||
| assert json_response_and_validate_schema(conn, 403) == %{ | |||
| "error" => "Insufficient permissions: write:accounts." | |||
| @@ -274,12 +271,9 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do | |||
| test "with proper permissions and invalid password", %{conn: conn} do | |||
| conn = | |||
| post( | |||
| conn, | |||
| "/api/pleroma/change_email?#{ | |||
| URI.encode_query(%{password: "hi", email: "test@test.com"}) | |||
| }" | |||
| ) | |||
| conn | |||
| |> put_req_header("content-type", "multipart/form-data") | |||
| |> post("/api/pleroma/change_email", %{password: "hi", email: "test@test.com"}) | |||
| assert json_response_and_validate_schema(conn, 200) == %{"error" => "Invalid password."} | |||
| end | |||
| @@ -288,10 +282,9 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do | |||
| conn: conn | |||
| } do | |||
| conn = | |||
| post( | |||
| conn, | |||
| "/api/pleroma/change_email?#{URI.encode_query(%{password: "test", email: "foobar"})}" | |||
| ) | |||
| conn | |||
| |> put_req_header("content-type", "multipart/form-data") | |||
| |> post("/api/pleroma/change_email", %{password: "test", email: "foobar"}) | |||
| assert json_response_and_validate_schema(conn, 200) == %{ | |||
| "error" => "Email has invalid format." | |||
| @@ -301,7 +294,10 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do | |||
| test "with proper permissions, valid password and no email", %{ | |||
| conn: conn | |||
| } do | |||
| conn = post(conn, "/api/pleroma/change_email?#{URI.encode_query(%{password: "test"})}") | |||
| conn = | |||
| conn | |||
| |> put_req_header("content-type", "multipart/form-data") | |||
| |> post("/api/pleroma/change_email", %{password: "test"}) | |||
| assert %{"error" => "Missing field: email."} = json_response_and_validate_schema(conn, 400) | |||
| end | |||
| @@ -310,10 +306,9 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do | |||
| conn: conn | |||
| } do | |||
| conn = | |||
| post( | |||
| conn, | |||
| "/api/pleroma/change_email?#{URI.encode_query(%{password: "test", email: ""})}" | |||
| ) | |||
| conn | |||
| |> put_req_header("content-type", "multipart/form-data") | |||
| |> post("/api/pleroma/change_email", %{password: "test", email: ""}) | |||
| assert json_response_and_validate_schema(conn, 200) == %{"error" => "Email can't be blank."} | |||
| end | |||
| @@ -324,10 +319,9 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do | |||
| user = insert(:user) | |||
| conn = | |||
| post( | |||
| conn, | |||
| "/api/pleroma/change_email?#{URI.encode_query(%{password: "test", email: user.email})}" | |||
| ) | |||
| conn | |||
| |> put_req_header("content-type", "multipart/form-data") | |||
| |> post("/api/pleroma/change_email", %{password: "test", email: user.email}) | |||
| assert json_response_and_validate_schema(conn, 200) == %{ | |||
| "error" => "Email has already been taken." | |||
| @@ -338,12 +332,9 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do | |||
| conn: conn | |||
| } do | |||
| conn = | |||
| post( | |||
| conn, | |||
| "/api/pleroma/change_email?#{ | |||
| URI.encode_query(%{password: "test", email: "cofe@foobar.com"}) | |||
| }" | |||
| ) | |||
| conn | |||
| |> put_req_header("content-type", "multipart/form-data") | |||
| |> post("/api/pleroma/change_email", %{password: "test", email: "cofe@foobar.com"}) | |||
| assert json_response_and_validate_schema(conn, 200) == %{"status" => "success"} | |||
| end | |||