Fix validation problem that occurs when a user tries to deactivate their account or change their password. (#13563)
This commit is contained in:
parent
2c42673a9b
commit
3a245f6cfe
|
@ -0,0 +1 @@
|
||||||
|
Improve validation of request bodies for the following client-server API endpoints: [`/account/password`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3accountpassword), [`/account/password/email/requestToken`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3accountpasswordemailrequesttoken), [`/account/deactivate`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3accountdeactivate) and [`/account/3pid/email/requestToken`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3account3pidemailrequesttoken).
|
|
@ -196,7 +196,7 @@ class PasswordRestServlet(RestServlet):
|
||||||
params, session_id = await self.auth_handler.validate_user_via_ui_auth(
|
params, session_id = await self.auth_handler.validate_user_via_ui_auth(
|
||||||
requester,
|
requester,
|
||||||
request,
|
request,
|
||||||
body.dict(),
|
body.dict(exclude_unset=True),
|
||||||
"modify your account password",
|
"modify your account password",
|
||||||
)
|
)
|
||||||
except InteractiveAuthIncompleteError as e:
|
except InteractiveAuthIncompleteError as e:
|
||||||
|
@ -219,7 +219,7 @@ class PasswordRestServlet(RestServlet):
|
||||||
result, params, session_id = await self.auth_handler.check_ui_auth(
|
result, params, session_id = await self.auth_handler.check_ui_auth(
|
||||||
[[LoginType.EMAIL_IDENTITY]],
|
[[LoginType.EMAIL_IDENTITY]],
|
||||||
request,
|
request,
|
||||||
body.dict(),
|
body.dict(exclude_unset=True),
|
||||||
"modify your account password",
|
"modify your account password",
|
||||||
)
|
)
|
||||||
except InteractiveAuthIncompleteError as e:
|
except InteractiveAuthIncompleteError as e:
|
||||||
|
@ -316,7 +316,7 @@ class DeactivateAccountRestServlet(RestServlet):
|
||||||
await self.auth_handler.validate_user_via_ui_auth(
|
await self.auth_handler.validate_user_via_ui_auth(
|
||||||
requester,
|
requester,
|
||||||
request,
|
request,
|
||||||
body.dict(),
|
body.dict(exclude_unset=True),
|
||||||
"deactivate your account",
|
"deactivate your account",
|
||||||
)
|
)
|
||||||
result = await self._deactivate_account_handler.deactivate_account(
|
result = await self._deactivate_account_handler.deactivate_account(
|
||||||
|
|
|
@ -322,3 +322,18 @@ class DeactivateAccountTestCase(HomeserverTestCase):
|
||||||
)
|
)
|
||||||
),
|
),
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def test_deactivate_account_needs_auth(self) -> None:
|
||||||
|
"""
|
||||||
|
Tests that making a request to /deactivate with an empty body
|
||||||
|
succeeds in starting the user-interactive auth flow.
|
||||||
|
"""
|
||||||
|
req = self.make_request(
|
||||||
|
"POST",
|
||||||
|
"account/deactivate",
|
||||||
|
{},
|
||||||
|
access_token=self.token,
|
||||||
|
)
|
||||||
|
|
||||||
|
self.assertEqual(req.code, 401, req)
|
||||||
|
self.assertEqual(req.json_body["flows"], [{"stages": ["m.login.password"]}])
|
||||||
|
|
Loading…
Reference in New Issue