From bf72b10d89fd24ab65ae5e1c87c9c97b869bfcce Mon Sep 17 00:00:00 2001 From: Julian Rother <julian@cccv.de> Date: Sat, 4 Sep 2021 23:21:06 +0200 Subject: [PATCH] Make sure that users can only confirm their own verification tokens Fixes #26. --- tests/test_selfservice.py | 3 +-- uffd/selfservice/views.py | 4 +++- uffd/translations/de/LC_MESSAGES/messages.mo | Bin 31369 -> 31578 bytes uffd/translations/de/LC_MESSAGES/messages.po | 16 ++++++++++++---- 4 files changed, 16 insertions(+), 7 deletions(-) diff --git a/tests/test_selfservice.py b/tests/test_selfservice.py index da3c94dd..c7c4b14c 100644 --- a/tests/test_selfservice.py +++ b/tests/test_selfservice.py @@ -165,7 +165,6 @@ class TestSelfservice(UffdTestCase): _user = request.user self.assertEqual(_user.mail, user.mail) - @unittest.skip('See #26') def test_token_mail_wrong_user(self): self.login_as('user') user = request.user @@ -176,7 +175,7 @@ class TestSelfservice(UffdTestCase): db.session.commit() r = self.client.get(path=url_for('selfservice.token_mail', token=admin_token.token), follow_redirects=True) dump('token_mail_wrong_user', r) - self.assertEqual(r.status_code, 200) + self.assertEqual(r.status_code, 403) _user = request.user _admin_user = self.get_admin() self.assertEqual(_user.mail, user.mail) diff --git a/uffd/selfservice/views.py b/uffd/selfservice/views.py index ca1f0248..1ee8c668 100644 --- a/uffd/selfservice/views.py +++ b/uffd/selfservice/views.py @@ -1,6 +1,6 @@ import datetime -from flask import Blueprint, render_template, request, url_for, redirect, flash, current_app, session +from flask import Blueprint, render_template, request, url_for, redirect, flash, current_app, session, abort from flask_babel import gettext as _, lazy_gettext from uffd.navbar import register_navbar @@ -122,6 +122,8 @@ def token_mail(token): return redirect(url_for('selfservice.index')) user = User.query.filter_by(loginname=dbtoken.loginname).one() + if user != request.user: + abort(403, description=_('This link was generated for another user. Login as the correct user to continue.')) user.set_mail(dbtoken.newmail) flash(_('New mail set')) db.session.delete(dbtoken) diff --git a/uffd/translations/de/LC_MESSAGES/messages.mo b/uffd/translations/de/LC_MESSAGES/messages.mo index 89920cdc366a7daa31d3fb1afc9fceef4be3562d..73bf24fe50496a1513b4d3dd910f143915714e7a 100644 GIT binary patch delta 5151 zcmeDD%6RJ=WBolLmZ=O33=D>h3=A?13=B&+K|BQ35oTcEXJBB^6=q-%W?*2j6=q;y zV_;wi6lP%XVPIg05N2TDVPIfbD$KyZ#lXO@3CiCK<)0E}VBlq7V7MyGz`)MH!0=d@ zfkA|Uf#J0<1A`(1Lp_*h&%nT-B*MU8$iTpmB*MT@$iTobMFgUeO_YHlnt_2qM3jMH zIRgVjfhYrmI|BoQgct)uEdv8Xf*1pX5(5LnJuwCbHwFd<MsWrPNd^W64{-(tF_3xU z5D!#}GcZ^%FfeqALmYZY9ORLD28Od>1_Q$tsKVRg3=9q+7m715ure?(=tw|lBMFED zEhHcYW=SwG$TBc6R7o%}h%zuR%#dJUkY-?DSSP{2AjrVLa7u!KfrEj8;f@5vAx|YB zA^1mvfq{>Kfk8l$fq}c8fq_9@65=9lNr(nBNs!AJ80;k>2D?c@f;a}Gfq{V`QxY6# z45d)<E+{=+5@Nv;Nd^W>1_p*5P;)*(<$p?ogPeg)3Sy6j6azy&DDDiUAQst4F)*kz zFffEjF)&CmFfi0eF)*YsFfdGq%KwpqxLimYLMuu$FeorEFc?TPFj#}qgfs&KC@OoU z85lAd7#Pk<L*m?A24bPT48&s|G7Jm?3=9nZG7R<L#FZe!z`zZPTNwrhW{|})kf3ak zVPKGBU|^Ud1F>MY3?xl_hZ@8x3vmdKECa(;1_lOcSq6p*1_p+YvJ4Cp85kI{<RIq! zk%L$)A<w{|3<`01NEABD*Fy{lh6*IfLlRSwJOjgK1_p+yP;pNMh)*IFAc-qcfq_As zfq|h~0TSes6(BxZ4(0DqfaIn#3J{B5DnLB=0V@AT0b;K}y&@z|<P{-7=cov=s8JE3 zu~U(OL7RbrVS*wg5$;ihIN*>X0|N^vaVat|fO70ZMMzY<R%BpMWnf_7QG$e=krD%g z3n*%oAW=I_2@(SPlpyBSKT?7uz86phpOqj6NGmfi$TKi7I4VOdOjKq7=lg191_liV z28JeOh=r?_Ar3jC3`wLHl_5cUPZ^S?-YGLM=rS-cu&6-P8>v8i9;^cPXgx!c3d8|f zDiDpOP=2clB*-SHKzukyg@Hkzfq`L}3dF)|Dhv#v3=9mnq3R7)A!)}(72*&FDDA5X ziJB-?1_mJp28L`^NC?!ag3PUFU|6II@#z{>1_l)d28J`LknHtQm4RUj0|Nt_8Uw>d z1_p-NYLHays}7;V)FB4Pt3%R2fjR?&CIbUQi#jB~uY>ZBszW^TULE4F-|CR4=FnhZ zNC)MA4-JTd4I1DeVc4SqG4O~6B&cp^FfimZFfcsVU|?utU|<N>gye#Inh=M)(S%s| z6)Mi7#lT?8z`!7-1&Oi<El9}5Yk_>sz>u#6F}G5SfuSChy*jiQ7_=A|7?wj7T+)JA za0kkNr3FbWU$h_v%P%cR`Cy_ANelkkkSM9phFDmu&A<==3JGn9$L?w~Fi0>kFuc@; zgaDHcB!u~O80x`Aq>2v2MY=i=1vWYi3^N!Q7(8_#K76DDanNfWNRa=88o;Fsu~1$Y zl7`fDA#rS|3keYyT}UMrtqUm^R_H<;rl`ljFbPz2>(xUH;MIqe?IQXN46O_d3~u@i z3==?UK_8O(V+|ltQf|P&u$X~?q1%9gA%KB_LEjLPsv8U$7z`K~7#12r(!eD{NJ#xL zgj7~$Mi6uAj3DY~7%?z7GB7agtT%#GHouJ^snW(65|jzXkRVSrhGe5`V+Mw|3=9m7 z#*j)U-vpA{drcrAGSLJQf{RQb9@=Qaz>o*3156kgJQx@l)J+)}yg((aDI|^UHf3P2 zVPIgWKWqvKat1Sqg}i2vI1@I57EERkhdG)-3Y1hchy^WX5Fd3z`Af|psd|kW149%8 z1H&6LNVV;54xtyDLxTLjIRir~0|Ub(3kHyt^$b5O7#LzeL21dr;L5<j&|?WH@h(|1 zFdSoGVEAVV@ySsuNd0bN&A?CsDtfIM7>pSh7(Q4-e6C^x2~uMlND*FY!@!^hs+Mga zX<)w%1A`H$WVD6YV{Z#8=;|35T5Tbf#A;gxhEfIwhU2!7vfb7WlDb3fASGCx9Rouo z0|UbvI|hbCP`O|ap)>431~D+4vS(m80&<W&0|Tf@wbcQVXuTaFAr<Ke3E5&th<){r z3=Axw{6E_flFAo2LQ?TcM+OEa1_p*Lj*z(84yE@yLh|u(M+SyoMh1rKj*!%z>I_Mo z70wWIdYmC4I@KAHHa<B+EM|6rIEdc`Vvno~14BKiNYrqF#J#l(B(XWVK+1z~7l@CW zTo@RfL6waQ14A4G1A~GqB>&dCGB6~Anrf~L3~Lw|7=E}yqG+ib149ug4Y)yy?09zu zhF}H;hJJU5&mX%(?D_A`P!BGXMLif8Oc@v$G&~?Ki}Qe#RGA)-5GeM5_@vqcVnL4w zB+*`ms(;`CNqnz8AVs*gCnOC7K<Q#nNP#uYlL6c`+vo{N#D_iWAwhBqs^Eqv#Aly9 zA&H8^3qp%~K^&y!1qosUFG&4v=>;(`%nRb63@?cOQYgO*N>BHK_<V^Mq&zs_1@Rb1 zy*I=F0dGhFqT~&Ut6(S{?+q!*vb`A?^gz|FHzfaW^oCSU=e;47SBeiL4Yc?`96ZB^ zfk6jUr29Z}#T6e&6o~mkTFqI$kdUr_;R|v3XJ3em82lgxari+Jmy91I(dqj^3LJYs zNVanJgXD@VKL&;nP&V^}c;u}g#GL<rkSJsKXJB{*YOeb;FjO)yFfa!&Fsx=^V5kiM zm$>x|nt>1>M+brn1cvlLh{f{)AqH*?garNJKuFPfHjshg5Ca3lyFiG;HU>fD4+cR( z=5!DwalH(J#QFaqh<Q@MkQR_`FeIcygFzux&%n?IW-u^J4Tfk~5)27}{lSm|<8m;h ztY-^>SQs7xad3JFq?#=bfjD4e2qf|C4q*T{%^rk6(#q2iNMd{!0&##~C?r={hB7e3 zf%1Q5C<7?e8BT;kd?+3U(P$9{vB)tDk~@6EAZegE3=+4S!XQ4r4^{scD$f=UvA{GO z<U<CAR482%4oQT~;gG~TKb(P~-im>NVNW<DF29FEf?PEMk~qwvv{M8`+&2P}*y1A~ z4y})Xgw%ovNb`J41jOebA|M6O*9b_^2Sq~CPHH5?L79<|_CQ4>H2+VGgcP|;A|XZY zo=8Zdd>RP}(oc~P2Z~2Qa)WCW1H(!N28Ng@28IKmqBt7j;N#Jdkh>HOvG{g0ME$#H zNXW6qKoYM>45ZeLj)AuS=fptbc6AJ-y4)QDsbpAUA*r}B7E)kzLHQG7Ar4*?%fQgX zz`(F8mVsd%0|SG593-T^#X&s45f4dIqVW))8^kj(I599V*vCWCOjCV4q`>HjhiF_F z4{`D4ct|aHDjrf#e~X9s&^Q5-ChQU*e6IwE!$K1vQ4o^=iQ5?o3=Ad=3=CTnAQruX z(q9r77;-_iD%70%oJ2_NRgnk@fq99LxLKD7$;ZbNAwhW_D*q^vfngN`1H-38NXa=j z3F3j(Nf3Ppk|4F+%_K-R{G0^w7-urX9_eIAlsYDZ(?~r-S~3H}ECvRK!^x16DJ})l z_Pdh;@mXmqB(>M1GBC_!U|?983Ta3<r$MsSwKPc3{!D|E3moZ?*7E6eNF`>S0qFsy zWk8x{t1}>#+0_gNh9J=RgJdQo8|7p|Eb7W+VDM&OVA!6?z~ITiz`&dZDF=MBAgQ<^ z3zEuPvLHU}%wk{=VPs&Kp9M+0Te2bQ?q);GeV7eV_dgqwCPZ@>7_vbF9ytsQcA)&< zmjkirYz`z&#d8@L0znFLAwgS`3rW?TxsbS@lne36yj)1CK9LK_*WYs?76|7-vZq2G z#5~75NTuVG2dS2)<UzXU?D-4~^`P!@VLk)H1_lO(SNV|oeRct)n*CM4z)%J10~SIY zw5Jdfq<lpT44)Vn7%Yn*Ehe2}NSkj_F#|&f0|Ud~Vo2g^D}luQ?h;7#e6|FVIC)DU z9?&XfsAup64LFoS%Kk;A5SQL8h2(d|GDr~mmqFq_w+!M__HszArd$p&D775ov;J~O zCBsw!;n!3^EPP+V!0;K=_N#<+>p{K(4bg0=3V`I#V^xr#dsqc&<-V(e#4&F*B*=xJ zv|KerT&o%qCHmEnTw+lTN%aoZo27)=<oq%+ixqM*^RgAn6N?qnQ}a@b5=&B36w>mG z6cY3DOEOZ66iSOzi}VzH^3yZ(6cURSN-|OvlJkp-Qj<%-QVJ#c3d#9-C7F4pshedD z_X@C^Di|18nV4^W=-8<$=8~COoLZ#d1Gb~IC?!=P?eLzW$s4@I9aD>nOHy-kO7s+b zQ*%;M6;d*jGZb<&OB7O4a}|m*lQT*((^K;l9FvptOY=$;67v*Fa~0h3i%P0W(-Jd^ MQu8)vq$>&o0QvHe?f?J) delta 4963 zcmcchjj{79WBolLmZ=O33=9U03=A?13=DHPK|BPO5oTcEXJBBE6=q-%W?*2@6=q;y zV_;x#6lP%XVPIhJ5N2TDVPIgGD$KyZ#lXO@2+Cgz<?j+^VBlq7U^ptwz`)MHz;IcZ zfkA|Uf#J3=1A`(1Lp{R>VFm_!1_lNp5e5cB1_p*85e9}r1_p)}5s1cbA`A@C3=9k` zq6`en85kH6L>U;|85kHi#26TA85kG>#26Tq7#JANi7_y^F)%QE6k}kJWME*h5NBWz z1DPid@j#|H1A_$v14E@a#G#wSK_01RVAu<0Ffbf}Dm*RDz~BIKp*RBrD+2?Aj0A*M zl7Ki+Ljq!8lmr8VECT~WmIMQXC<6mShXezIGy?;}JP8H{K?VkfT@nlo91IK$XCxpF zxheq(!8Z~N41AyfmSkYyu4iCi;FpBBNLmu2K}{0mG6n{HNr=H_l8_+w0cl`hV2G52 z1Ys&vyb4OUOF}G|BFVsD$-uy{0&319sQgPwaF8>6gW4k@#lTPxiaSLqh(&r*3=HZF z3=A$(3=C2X3=BC^3=Am@3=Hj1`8QG!morI2XhCTP1_cHN1_fyb25V57kcLEMtuzBe zCIbV*UTH|2tII$<rY{5Wn1u`jg8%~qgS`wxJvea%$S^Q)gW^_(fq@xhu?!?A3uG7= z<QNzjdSoCLtd@bKiRVy*zRExx@<)b&;VJ_I1Gg*#Lj?l^!$VmHhKURe3{i3rbKb~7 zEas4BU{D5yxI82Zjpgeh1~@|ng5)8IDM_AzVKV~*Ln~C=QUT%<PX$Qg3RGZV5NBXu z$X0*^d9wn<N7JGF6$+5tv_}DA@l6GY2OmJ?-zY%rWvEw##0kG5B<KtkAr=)XLNrz? zGB9W}FfcSILK5K`MTi47DKapyfD)G?0|O|>UQ~oc#cf3f22}<IhChmskW*4(U~mCN zjS?hk+ms+7uuchLUi~E{NaDKzRq$8|VgR=?1A{yR1B0P5#KJ&j25`R5R%T$(U|?V< zQifPKTN&bzJ<5<odQce>wC9u|Y3iOb1A{ID1H%`ndL<Qz&z)7k9<65xQh_)iN(G`Z z70NGFfdpBD3dDy!Dhv$z3=9m@R3H`}Q(<5TWnf@94OOqG3Q0RUst|`5Kxtc5NYr?# zGB5}+Ffc@`LP8)<6=ZHb1H&X$h)?IJGBBtxFfi;<g=DXXstgQM7#JA7sWLEZWME+E zR)eHsTXhKSrVcUKUmcPL64V(OG#MBeO4K3weIAs*RUP7y`|1#fy;g@r^$&FhhICN= zx6ptnSfBw85{5Mz5CgYpK!WOo1_MJr0|Uc#4F-lb1_lOqO-L>{rwMV$9ZiUZPod&} zG#MCd85kJ2v>;LDp#=$9e=U%Y85rWVAm(OjF)-AFvR8!`1A`U=1H*Kvf<sym3(i3K zx3nOM<%t%gV0onlDIZj{A!)&08xkcM+7JtKwHX*9Kp~+G@z_~y1_lWR28Ns3kP!H! z4GH1@+6?vJB2q*L;v!ichyooQ28J073=Eb!5FcLBfjH>44kXB5>Oc(mr30~$Ul)>w z#B?EXtf&hK5ffcVCFQLPDHmqwLL4Tj$G|WNRCMdrLk#$<2PxZG^cfgh85kJM^cff? zfYO3KB=!3mK%ykwfPrB#0|P^~0VMUy8!|8$FfcGU7((K{&=3+rvkf7Y)Kx=>epw@k zdUGQN21f=4h6p1_9W$%m2$C9a8$p8bzY!#;S&Sjshs&6O;Vr0$HHK6+d?wITZUPAj z0~1KdIhsH`5@5o>kjKEl5N^W2;K9JaaLj~(!3$L4nL^T5lqmy)4Fdy1k|`vl>*t$7 zEL>v>iK|Vf44`_MVV^0)VGm3p1qq88!~$hAh>x_Od>1oFYW6l`V2A?c5;I73{R~Pw znL~nlo;d?UDyTfMU|=u<r8Nr%h8R%&f6jt|!Igo5LE92i(iK`VFdSoGV3=zO@kxpm zq+Y*l#lTR)z`!77&A?#Hz`)RN4e|M5Ye<k@vW67hA~p;RY77hv<~ESHkF#N5Fk)a} zSZxEb=bjCufK#yr)eZFw3|_Vj45bVV3~9EIGX0J%BvpU0g_K;fb_@)W3=9n3b_@)O z3=9lQp)|Wa#Gp)j28JUb2iY?)fSOVv4v@t9$^jBmKO7(-E93~WkbyzY5far_jtmSO zp!{#|2uZyjjtmS;3=9mxj*z$tgVJ%1ko=qG$iUFc$iPtM2ubBE&X7bY?hMH#+Ror0 zWiWAuq>YKr5Q`T%Lmafu8Dh^KXNdme&I}Copcc+8XGmgu;0!4TzBxmDtmwkP;0#Lb zE({ED3=9nWT_D*`&Xs{7nSp`9*p-1{4Ja;MAyMSw#=uYnN&{|?qWYg314A$a1B0GB z#OF=!5PRmiLmaThouQt=l!1ZaxI4sUf88M^6o&^S1cW>wK9TZ(SfK3zNwq~D5cTyQ zki^&J0V%pqc|g*@dnhgB2`Q*dJt0l908dCFPV$6=NTz2!L_xVH#AlN{A&F`^l-}kE zanMmuND!a*gw*Rdpay>RggA)Z3!-1d3&Pig(q>)|pF4X&%7b_>h{u+DK^(Nc-V0KI z9Q1<3)h8(Z&kIt5ad|T^=rJ%bD0)Nke}FfnQp)p&R9ehFkTjs|197;y4+Db^0|SGb z4<uI<`#_>#s}H2L%;^gWxprTOL+dB`LR>W87h=$IUr5~S_Jt(6bH0!Q=bkSlTRrlH z<O)td28Iw&HuHn{q{k0p&OARzlr8gPV0gvAz_8tqfuR!AFYsqzSPg1T2S7^N69Hfk z*E9SIfD{O9fe?#r10e<m1VVy7DG*Y0<^(b@9AaQ#=naH8EFcIXpAZBInXDj4;_3*3 zMCrUBh<Q7MAT6IWL6DIC5(Eh;)nE`^&%j_34AI~m3<-g_U`T;c6wJU70Lt&d5DUKr zgI&zP76PeWg+d?>2nc~BzNioeaFeV)1d>)-LLiB;Hw5B<4Iz+RaU%qhn>a!l82mu_ zKRp!U!)>7ujn_jV7Ci`M0OyW3p^!A76b6agz%Yo9>%t)F=Y&Dzmxe(sxDp2P83O}L zID{4sha^I!a7f~{3uj=k0=0y~85rt8ZL?|NkRU%24oMu>p!7qi_?vJ@V*3{kaj0Ab zB&6&kAkFgN2#C-7BOnFPln6-Be~f^n9hOLlLpUNK?Evveh`d20Lp`_|?Hmaya-$<5 zsj?*!5~LF&A&G5UBqTRHiDY0{$-uzyJCcFn04QprAP!E8hJ-|6G{oSlXo&jWXh_H` ziH0QJ%h8Z(_g6H;LDn(#kht}VfmD}KF_21TaSS9COT<D749!>w-yjxJM>xhZF!X@B zVzCSi>lhdqp2b2!aB3XH1IyzeX=+Ox#G><Y3=B>T3=H?;AZbQ19#URt*T+LNI>bX< z925_!1vBFz_4L$uhz~EtL(;@uDF0<V#9?3JAyM!<9ul|a2@DJ-3=9k*2@s1qq4eYg z28LWvt(pKahdU8cdDV+2LPEec5fV4PiI9ApmIw*TJg9tQA_K!J1_p+SiIAexCJEvL zuOx`R_#{YeSCItChLe&Y9$S$Fv1nHkBuXD7LDC3oG6TabQ2n2j3@MrZCPUhM)hQ64 ziKIeOyL2i8!%WaXLn@>p@hBCNtxD4%K|3Q2QZ6h{gH&Ew>5v}J)O1Lb>{dFY5@X3= zU<d-4lL5&+vok>E*E2Be%wS;f2E}0p1A`|61A|c}B>&fBLQ?PgOi1e9oC)#Sj!Xsy z5k>}vbD5At`#1}tjwc&pus}9MonAI1Ex2SeFk~|@Fa%~ZFxY{5#n}*h{$w*SaDno_ zTMh$5AV@(DBuE$MKvMIL97tRp%z^miYz`zff6syBXSH021x~q;Z0Vm1Nh<}pkjkby z7g8M`&V_Wx&GI0v;01XM3>z327$ox<80taw`l)<K^{QFGz);1&z)(;CanS1mNRZkV zGBA8%U|`57gtU~Riy&>ii$x3!9SjT%I>nGgx3w4&=dX$()$*TWNTReUfp{RYgn_}A zfq|j91XAQ*EMcgJjOCO<@_9fhBnazDA#pyZ6yj5}GDvL}R0c6<N*Tmw`^q4di(xs0 zzq%Y^p<D$6!)FEt2I~q)H(tLI;;_e+kZk$25)yI(RSuBWt!xz}j%}(SLGB2peWBu! vRgfr&tAgZ?^eRYd&#&67CCnzbxzTW!0K18Tk)f5T@n$EdPSwrU8S=saaWF!) diff --git a/uffd/translations/de/LC_MESSAGES/messages.po b/uffd/translations/de/LC_MESSAGES/messages.po index 70e5f135..da0a5199 100644 --- a/uffd/translations/de/LC_MESSAGES/messages.po +++ b/uffd/translations/de/LC_MESSAGES/messages.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: PROJECT VERSION\n" "Report-Msgid-Bugs-To: EMAIL@ADDRESS\n" -"POT-Creation-Date: 2021-09-04 21:53+0200\n" +"POT-Creation-Date: 2021-09-05 00:47+0200\n" "PO-Revision-Date: 2021-05-25 21:18+0200\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Language: de\n" @@ -969,19 +969,27 @@ msgid "New password set" msgstr "Passwort geändert" #: uffd/selfservice/views.py:126 +msgid "" +"This link was generated for another user. Login as the correct user to " +"continue." +msgstr "" +"Dieser Link wurde für einen anderen Account erstellt. Melde dich mit dem " +"richtigen Account an um Fortzufahren." + +#: uffd/selfservice/views.py:128 msgid "New mail set" msgstr "E-Mail-Adresse geändert" -#: uffd/selfservice/views.py:137 +#: uffd/selfservice/views.py:139 msgid "Leaving roles is disabled" msgstr "Verlassen von Rollen ist deaktiviert" -#: uffd/selfservice/views.py:144 +#: uffd/selfservice/views.py:146 #, python-format msgid "You left role %(role_name)s" msgstr "Rolle %(role_name)s verlassen" -#: uffd/selfservice/views.py:161 uffd/selfservice/views.py:181 +#: uffd/selfservice/views.py:163 uffd/selfservice/views.py:183 #, python-format msgid "Mail to \"%(mail_address)s\" could not be sent!" msgstr "E-Mail an \"%(mail_address)s\" konnte nicht gesendet werden!" -- GitLab