Remove API password (#290)

* Remove the password from API GET responses While keeping it for POST/PUT. fix #289 * Add a test to check password change via API
2025-04-30 18:22:38 +02:00 · 2017-12-22 17:39:48 +01:00 · 2017-12-22 17:39:48 +01:00 · b65ee59b1b
commit b65ee59b1b
parent 5160dac4a5
3 changed files with 18 additions and 7 deletions
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@ -12,6 +12,7 @@ Breaking changes
 - ``ADMIN_PASSWORD`` is now stored hashed. The ``ihatemoney generate_password_hash`` command can now be used to generate a proper password HASH (#236)
 - Turn the WSGI file into a python module, renamed from budget/ihatemoney.wsgi to ihatemoney/wsgi.py. Please update your Apache/Gunicorn configuration! (#218)
 - Admin privileges are now required to access the dashboard (#262)
+- `password` field has been removed from project API GET views (#289)

 Changed
 =======
--- a/ihatemoney/models.py
+++ b/ihatemoney/models.py
@ -14,7 +14,7 @@ db = SQLAlchemy()
 class Project(db.Model):

    _to_serialize = (
-        "id", "name", "password", "contact_email", "members", "active_members",
+        "id", "name",  "contact_email", "members", "active_members",
        "balance"
    )

--- a/ihatemoney/tests/tests.py
+++ b/ihatemoney/tests/tests.py
@ -1076,7 +1076,6 @@ class APITestCase(IhatemoneyTestCase):
            "balance": {},
        }
        decoded_resp = json.loads(resp.data.decode('utf-8'))
-        self.assertTrue(check_password_hash(decoded_resp.pop('password'), 'raclette'))
        self.assertDictEqual(decoded_resp, expected)

        # edit should work
@ -1101,14 +1100,26 @@ class APITestCase(IhatemoneyTestCase):
            "balance": {},
        }
        decoded_resp = json.loads(resp.data.decode('utf-8'))
-        self.assertTrue(check_password_hash(decoded_resp.pop('password'), 'raclette'))
        self.assertDictEqual(decoded_resp, expected)

+        # password change is possible via API
+        resp = self.client.put("/api/projects/raclette", data={
+            "contact_email": "yeah@notmyidea.org",
+            "password": "tartiflette",
+            "name": "The raclette party",
+        }, headers=self.get_auth("raclette"))
+
+        self.assertEqual(200, resp.status_code)
+
+        resp = self.client.get("/api/projects/raclette",
+                               headers=self.get_auth(
+                                   "raclette", "tartiflette"))
+        self.assertEqual(200, resp.status_code)
+
        # delete should work
        resp = self.client.delete("/api/projects/raclette",
-                                  headers=self.get_auth("raclette"))
-
-        self.assertEqual(200, resp.status_code)
+                                  headers=self.get_auth(
+                                      "raclette", "tartiflette"))

        # get should return a 401 on an unknown resource
        resp = self.client.get("/api/projects/raclette",
@ -1341,7 +1352,6 @@ class APITestCase(IhatemoneyTestCase):

        self.assertStatus(200, req)
        decoded_req = json.loads(req.data.decode('utf-8'))
-        self.assertTrue(check_password_hash(decoded_req.pop('password'), 'raclette'))
        self.assertDictEqual(decoded_req, expected)