[hg] galaxy 3454: Passwords are no longer changed ( sanitized ) ...

3 Mar 2010

details:   http://www.bx.psu.edu/hg/galaxy/rev/29bb8ebb3a59
changeset: 3454:29bb8ebb3a59
user:      Greg Von Kuster <greg@bx.psu.edu>
date:      Mon Mar 01 16:07:54 2010 -0500
description:
Passwords are no longer changed ( sanitized ) as part of processing the request.  Enhanced functional tests to cover the scenario where passwords include chars that break in sanitization.

diffstat:

 lib/galaxy/web/controllers/requests_admin.py |   4 +-
 lib/galaxy/web/controllers/user.py           |  30 ++++++++++++++++-----------
 test/base/twilltestcase.py                   |   5 +++-
 test/functional/test_user_info.py            |   7 ++++-
 4 files changed, 29 insertions(+), 17 deletions(-)

diffs (118 lines):

diff -r 58ba6e72d803 -r 29bb8ebb3a59 lib/galaxy/web/controllers/requests_admin.py

--- a/lib/galaxy/web/controllers/requests_admin.py	Mon Mar 01 16:00:26 2010 -0500
+++ b/lib/galaxy/web/controllers/requests_admin.py	Mon Mar 01 16:07:54 2010 -0500
@@ -1703,7 +1703,7 @@
             # data transfer info
             rt.datatx_info = dict(host=util.restore_text( params.get( 'host', ''  ) ),
                                   username=util.restore_text( params.get( 'username', ''  ) ),
-                                  password=util.restore_text( params.get( 'password', ''  ) ),
+                                  password=params.get( 'password', '' ),
                                   data_dir=util.restore_text( params.get( 'data_dir', ''  ) )) 
             trans.sa_session.add( rt )
             trans.sa_session.flush()
@@ -1775,7 +1775,7 @@
         # data transfer info
         rt.datatx_info = dict(host=util.restore_text( params.get( 'host', ''  ) ),
                               username=util.restore_text( params.get( 'username', ''  ) ),
-                              password=util.restore_text( params.get( 'password', ''  ) )) 
+                              password=params.get( 'password', '' )) 
         trans.sa_session.add( rt )
         trans.sa_session.flush()
         # set sample states
diff -r 58ba6e72d803 -r 29bb8ebb3a59 lib/galaxy/web/controllers/user.py
--- a/lib/galaxy/web/controllers/user.py	Mon Mar 01 16:00:26 2010 -0500
+++ b/lib/galaxy/web/controllers/user.py	Mon Mar 01 16:07:54 2010 -0500
@@ -167,12 +167,14 @@
     @web.expose
     def create( self, trans, **kwd ):
         params = util.Params( kwd )
-        email = util.restore_text( params.get('email', '') )
-        username = util.restore_text( params.get('username', '') )
-        password = util.restore_text( params.get('password', '') )
-        confirm = util.restore_text( params.get('confirm', '') )
-        subscribe = CheckboxField.is_checked( params.get('subscribe', '') ) 
-        admin_view = params.get('admin_view', 'False')
+        email = util.restore_text( params.get( 'email', '' ) )
+        username = util.restore_text( params.get( 'username', '' ) )
+        # Do not sanitize passwords, so take from kwd
+        # instead of params ( which were sanitized )
+        password = kwd.get( 'password', '' )
+        confirm = kwd.get( 'confirm', '' )
+        subscribe = CheckboxField.is_checked( params.get( 'subscribe', '' ) ) 
+        admin_view = params.get( 'admin_view', 'False' )
         msg = util.restore_text( params.get( 'msg', ''  ) )
         messagetype = params.get( 'messagetype', 'done' )
         if trans.app.config.require_login:
@@ -413,11 +415,11 @@
             login_info = { 'Email': TextField( 'email', 40, 
                                                util.restore_text( params.get('email', '') ) ),
                            'Public Username': TextField( 'username', 40, 
-                                                         util.restore_text( params.get('username', '') ) ),
+                                                         util.restore_text( params.get( 'username', '' ) ) ),
                            'Password': PasswordField( 'password', 40, 
-                                                              util.restore_text( params.get('password', '') ) ),
+                                                              params.get( 'password', '' ) ),
                            'Confirm': PasswordField( 'confirm', 40, 
-                                                     util.restore_text( params.get('confirm', '') ) ),
+                                                     params.get( 'confirm', '' ) ),
                            'Subscribe To Mailing List': CheckboxField( 'subscribe', 
                                                                        util.restore_text( params.get('subscribe', '') ) ) }
         # user information
@@ -531,11 +533,15 @@
         # Change password 
         #
         elif params.get('change_password_button', None) == 'Save':
-            password = util.restore_text( params.get('password', '') )
-            confirm = util.restore_text( params.get('confirm', '') )
+            # Do not sanitize passwords, so get from kwd and not params
+            # ( which were sanitized ).
+            password = kwd.get( 'password', '' )
+            confirm = kwd.get( 'confirm', '' )
             # when from the user perspective, validate the current password
             if params.get('admin_view', 'False') == 'False':
-                current = util.restore_text( params.get('current', '') )
+                # Do not sanitize passwords, so get from kwd and not params
+                # ( which were sanitized ).
+                current = kwd.get( 'current', '' )
                 if not trans.user.check_password( current ):
                     return trans.response.send_redirect( web.url_for( controller='user',
                                                                       action='show_info',
diff -r 58ba6e72d803 -r 29bb8ebb3a59 test/base/twilltestcase.py
--- a/test/base/twilltestcase.py	Mon Mar 01 16:00:26 2010 -0500
+++ b/test/base/twilltestcase.py	Mon Mar 01 16:07:54 2010 -0500
@@ -745,7 +745,10 @@
             self.create( email=email, password=password )
         except:
             self.home()
-            self.visit_page( "user/login?email=%s&password=%s" % ( email, password ) )
+            self.visit_url( "%s/user/login" % self.url )
+            tc.fv( '1', 'email', email )
+            tc.fv( '1', 'password', password )
+            tc.submit( 'Login' )
             self.check_page_for_string( "Now logged in as %s" %email )
             self.home()
     def logout( self ):
diff -r 58ba6e72d803 -r 29bb8ebb3a59 test/functional/test_user_info.py
--- a/test/functional/test_user_info.py	Mon Mar 01 16:00:26 2010 -0500
+++ b/test/functional/test_user_info.py	Mon Mar 01 16:07:54 2010 -0500
@@ -20,7 +20,6 @@
             return fdc.latest_form
     return None
 
-
 class TestUserInfo( TwillTestCase ):
     def test_000_create_user_info_forms( self ):
         """Testing creating a new user info form and editing it"""
@@ -127,7 +126,11 @@
         user = sa_session.query( galaxy.model.User ) \
                          .filter( and_( galaxy.model.User.table.c.email=='test11@bx.psu.edu' ) ).first()
         self.edit_login_info( new_email='test11_new@bx.psu.edu', new_username='test11_new' )
-        self.change_password('testuser', 'new_testuser')
+        self.change_password( 'testuser', 'testuser#' )
+        self.logout()
+        self.login( email='test11_new@bx.psu.edu', password='testuser#' )
+        self.edit_login_info( new_email='test11@bx.psu.edu', new_username='test11' )
+        self.change_password( 'testuser#', 'testuser' )
         self.edit_user_info( ['Research', 'PSU'] )
     def test_020_create_user_as_admin( self ):
         ''' Testing creating users as an admin '''

    

Greg Von Kuster

tags

participants (1)