mirror of
https://github.com/netbox-community/netbox.git
synced 2024-05-10 07:54:54 +00:00
Fixed password was not hashed on REST API update (#14340)
* Fixed password was not hashed on REST API update * When we updated a user password with a REST API call the password was stored in clear in plain text in the database. * Following code review * Move test on UserTest class * Call `super().update()` in overriding `update` method * Return directly the result of `super().update()`
This commit is contained in:
Vincent Simonin
GitHub
@ -52,6 +52,16 @@ class UserSerializer(ValidatedModelSerializer):
|
|||||||
|
|
||||||
return user
|
return user
|
||||||
|
|
||||||
|
def update(self, instance, validated_data):
|
||||||
|
"""
|
||||||
|
Ensure proper updated password hash generation.
|
||||||
|
"""
|
||||||
|
password = validated_data.pop('password', None)
|
||||||
|
if password is not None:
|
||||||
|
instance.set_password(password)
|
||||||
|
|
||||||
|
return super().update(instance, validated_data)
|
||||||
|
|
||||||
@extend_schema_field(OpenApiTypes.STR)
|
@extend_schema_field(OpenApiTypes.STR)
|
||||||
def get_display(self, obj):
|
def get_display(self, obj):
|
||||||
if full_name := obj.get_full_name():
|
if full_name := obj.get_full_name():
|
||||||
|
|||||||
@ -54,6 +54,38 @@ class UserTest(APIViewTestCases.APIViewTestCase):
|
|||||||
)
|
)
|
||||||
User.objects.bulk_create(users)
|
User.objects.bulk_create(users)
|
||||||
|
|
||||||
|
def test_that_password_is_changed(self):
|
||||||
|
"""
|
||||||
|
Test that password is changed
|
||||||
|
"""
|
||||||
|
|
||||||
|
obj_perm = ObjectPermission(
|
||||||
|
name='Test permission',
|
||||||
|
actions=['change']
|
||||||
|
)
|
||||||
|
obj_perm.save()
|
||||||
|
obj_perm.users.add(self.user)
|
||||||
|
obj_perm.object_types.add(ContentType.objects.get_for_model(self.model))
|
||||||
|
|
||||||
|
user_credentials = {
|
||||||
|
'username': 'user1',
|
||||||
|
'password': 'abc123',
|
||||||
|
}
|
||||||
|
user = User.objects.create_user(**user_credentials)
|
||||||
|
|
||||||
|
data = {
|
||||||
|
'password': 'newpassword'
|
||||||
|
}
|
||||||
|
url = reverse('users-api:user-detail', kwargs={'pk': user.id})
|
||||||
|
|
||||||
|
response = self.client.patch(url, data, format='json', **self.header)
|
||||||
|
|
||||||
|
self.assertEqual(response.status_code, 200)
|
||||||
|
|
||||||
|
updated_user = User.objects.get(id=user.id)
|
||||||
|
|
||||||
|
self.assertTrue(updated_user.check_password(data['password']))
|
||||||
|
|
||||||
|
|
||||||
class GroupTest(APIViewTestCases.APIViewTestCase):
|
class GroupTest(APIViewTestCases.APIViewTestCase):
|
||||||
model = Group
|
model = Group
|
||||||
|
|||||||
Reference in New Issue
Block a user