Make sure that users can only confirm their own verification tokens

Fixes #26.

Make sure that users can only confirm their own verification tokens
bf72b10d · Julian · 0212237e · bf72b10d · bf72b10d · bf72b10d
Commit bf72b10d authored 3 years ago by Julian
--- a/tests/test_selfservice.py
+++ b/tests/test_selfservice.py
@@ -165,7 +165,6 @@ class TestSelfservice(UffdTestCase):
 		_user = request.user
 		self.assertEqual(_user.mail, user.mail)
-	@unittest.skip('See #26')
 	def test_token_mail_wrong_user(self):
 		self.login_as('user')
 		user = request.user
@@ -176,7 +175,7 @@ class TestSelfservice(UffdTestCase):
 		db.session.commit()
 		r = self.client.get(path=url_for('selfservice.token_mail', token=admin_token.token), follow_redirects=True)
 		dump('token_mail_wrong_user', r)
-		self.assertEqual(r.status_code, 200)
+		self.assertEqual(r.status_code, 403)
 		_user = request.user
 		_admin_user = self.get_admin()
 		self.assertEqual(_user.mail, user.mail)

--- a/uffd/selfservice/views.py
+++ b/uffd/selfservice/views.py
 import datetime
-from flask import Blueprint, render_template, request, url_for, redirect, flash, current_app, session
+from flask import Blueprint, render_template, request, url_for, redirect, flash, current_app, session, abort
 from flask_babel import gettext as _, lazy_gettext
 from uffd.navbar import register_navbar
@@ -122,6 +122,8 @@ def token_mail(token):
 		return redirect(url_for('selfservice.index'))
 	user = User.query.filter_by(loginname=dbtoken.loginname).one()
+	if user != request.user:
+		abort(403, description=_('This link was generated for another user. Login as the correct user to continue.'))
 	user.set_mail(dbtoken.newmail)
 	flash(_('New mail set'))
 	db.session.delete(dbtoken)

--- a/uffd/translations/de/LC_MESSAGES/messages.mo
+++ b/uffd/translations/de/LC_MESSAGES/messages.mo
--- a/uffd/translations/de/LC_MESSAGES/messages.po
+++ b/uffd/translations/de/LC_MESSAGES/messages.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PROJECT VERSION\n"
 "Report-Msgid-Bugs-To: EMAIL@ADDRESS\n"
-"POT-Creation-Date: 2021-09-04 21:53+0200\n"
+"POT-Creation-Date: 2021-09-05 00:47+0200\n"
 "PO-Revision-Date: 2021-05-25 21:18+0200\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language: de\n"
@@ -969,19 +969,27 @@ msgid "New password set"
 msgstr "Passwort geändert"
 #: uffd/selfservice/views.py:126
+msgid ""
+"This link was generated for another user. Login as the correct user to "
+"continue."
+msgstr ""
+"Dieser Link wurde für einen anderen Account erstellt. Melde dich mit dem "
+"richtigen Account an um Fortzufahren."
+#: uffd/selfservice/views.py:128
 msgid "New mail set"
 msgstr "E-Mail-Adresse geändert"
-#: uffd/selfservice/views.py:137
+#: uffd/selfservice/views.py:139
 msgid "Leaving roles is disabled"
 msgstr "Verlassen von Rollen ist deaktiviert"
-#: uffd/selfservice/views.py:144
+#: uffd/selfservice/views.py:146
 #, python-format
 msgid "You left role %(role_name)s"
 msgstr "Rolle %(role_name)s verlassen"
-#: uffd/selfservice/views.py:161 uffd/selfservice/views.py:181
+#: uffd/selfservice/views.py:163 uffd/selfservice/views.py:183
 #, python-format
 msgid "Mail to \"%(mail_address)s\" could not be sent!"
 msgstr "E-Mail an \"%(mail_address)s\" konnte nicht gesendet werden!"