almet/ihatemoney
1
0
Fork 0
mirror of https://github.com/spiral-project/ihatemoney.git synced 2025-04-30 18:22:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Remove API password (#290)

Browse source 
* Remove the password from API GET responses

While keeping it for POST/PUT.

fix #289

* Add a test to check password change via API
This commit is contained in:
JocelynDelalande 2017-12-22 17:39:48 +01:00 committed by Alexis Metaireau
parent 5160dac4a5
commit b65ee59b1b
3 changed files with 18 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.rst
View file

@ -12,6 +12,7 @@ Breaking changes
- ``ADMIN_PASSWORD`` is now stored hashed. The ``ihatemoney generate_password_hash`` command can now be used to generate a proper password HASH (#236) - ``ADMIN_PASSWORD`` is now stored hashed. The ``ihatemoney generate_password_hash`` command can now be used to generate a proper password HASH (#236)
- Turn the WSGI file into a python module, renamed from budget/ihatemoney.wsgi to ihatemoney/wsgi.py. Please update your Apache/Gunicorn configuration! (#218) - Turn the WSGI file into a python module, renamed from budget/ihatemoney.wsgi to ihatemoney/wsgi.py. Please update your Apache/Gunicorn configuration! (#218)
- Admin privileges are now required to access the dashboard (#262) - Admin privileges are now required to access the dashboard (#262)
- `password` field has been removed from project API GET views (#289)
Changed Changed
======= =======

2
ihatemoney/models.py
View file

@ -14,7 +14,7 @@ db = SQLAlchemy()
class Project(db.Model): class Project(db.Model):
_to_serialize = ( _to_serialize = (
"id", "name", "password", "contact_email", "members", "active_members", "id", "name", "contact_email", "members", "active_members",
"balance" "balance"
) )

22
ihatemoney/tests/tests.py
View file

@ -1076,7 +1076,6 @@ class APITestCase(IhatemoneyTestCase):
"balance": {}, "balance": {},
} }
decoded_resp = json.loads(resp.data.decode('utf-8')) decoded_resp = json.loads(resp.data.decode('utf-8'))
self.assertTrue(check_password_hash(decoded_resp.pop('password'), 'raclette'))
self.assertDictEqual(decoded_resp, expected) self.assertDictEqual(decoded_resp, expected)
# edit should work # edit should work
@ -1101,14 +1100,26 @@ class APITestCase(IhatemoneyTestCase):
"balance": {}, "balance": {},
} }
decoded_resp = json.loads(resp.data.decode('utf-8')) decoded_resp = json.loads(resp.data.decode('utf-8'))
self.assertTrue(check_password_hash(decoded_resp.pop('password'), 'raclette'))
self.assertDictEqual(decoded_resp, expected) self.assertDictEqual(decoded_resp, expected)
# password change is possible via API
resp = self.client.put("/api/projects/raclette", data={
"contact_email": "yeah@notmyidea.org",
"password": "tartiflette",
"name": "The raclette party",
}, headers=self.get_auth("raclette"))
self.assertEqual(200, resp.status_code)
resp = self.client.get("/api/projects/raclette",
headers=self.get_auth(
"raclette", "tartiflette"))
self.assertEqual(200, resp.status_code)
# delete should work # delete should work
resp = self.client.delete("/api/projects/raclette", resp = self.client.delete("/api/projects/raclette",
headers=self.get_auth("raclette")) headers=self.get_auth(
"raclette", "tartiflette"))
self.assertEqual(200, resp.status_code)
# get should return a 401 on an unknown resource # get should return a 401 on an unknown resource
resp = self.client.get("/api/projects/raclette", resp = self.client.get("/api/projects/raclette",
@ -1341,7 +1352,6 @@ class APITestCase(IhatemoneyTestCase):
self.assertStatus(200, req) self.assertStatus(200, req)
decoded_req = json.loads(req.data.decode('utf-8')) decoded_req = json.loads(req.data.decode('utf-8'))
self.assertTrue(check_password_hash(decoded_req.pop('password'), 'raclette'))
self.assertDictEqual(decoded_req, expected) self.assertDictEqual(decoded_req, expected)