diff options
| author | JocelynDelalande <JocelynDelalande@users.noreply.github.com> | 2017-12-22 17:39:48 +0100 |
|---|---|---|
| committer | Alexis Metaireau <alexis@notmyidea.org> | 2017-12-22 17:39:48 +0100 |
| commit | b65ee59b1bf03a972079439e8f838e4040dfa874 (patch) | |
| tree | 76911a86fc84984a2c8d849d7f1fb1668f1dc5fc | |
| parent | 5160dac4a56fcd9ae3d30d96d9bb4f827000fc57 (diff) | |
| download | ihatemoney-mirror-b65ee59b1bf03a972079439e8f838e4040dfa874.zip ihatemoney-mirror-b65ee59b1bf03a972079439e8f838e4040dfa874.tar.gz ihatemoney-mirror-b65ee59b1bf03a972079439e8f838e4040dfa874.tar.bz2 | |
Remove API password (#290)
* Remove the password from API GET responses
While keeping it for POST/PUT.
fix #289
* Add a test to check password change via API
| -rw-r--r-- | CHANGELOG.rst | 1 | ||||
| -rw-r--r-- | ihatemoney/models.py | 2 | ||||
| -rw-r--r-- | ihatemoney/tests/tests.py | 22 |
3 files changed, 18 insertions, 7 deletions
diff --git a/CHANGELOG.rst b/CHANGELOG.rst index fffc8c5..35cf91c 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -12,6 +12,7 @@ Breaking changes - ``ADMIN_PASSWORD`` is now stored hashed. The ``ihatemoney generate_password_hash`` command can now be used to generate a proper password HASH (#236) - Turn the WSGI file into a python module, renamed from budget/ihatemoney.wsgi to ihatemoney/wsgi.py. Please update your Apache/Gunicorn configuration! (#218) - Admin privileges are now required to access the dashboard (#262) +- `password` field has been removed from project API GET views (#289) Changed ======= diff --git a/ihatemoney/models.py b/ihatemoney/models.py index 9e11054..aa3083d 100644 --- a/ihatemoney/models.py +++ b/ihatemoney/models.py @@ -14,7 +14,7 @@ db = SQLAlchemy() class Project(db.Model): _to_serialize = ( - "id", "name", "password", "contact_email", "members", "active_members", + "id", "name", "contact_email", "members", "active_members", "balance" ) diff --git a/ihatemoney/tests/tests.py b/ihatemoney/tests/tests.py index dc46580..6708ca8 100644 --- a/ihatemoney/tests/tests.py +++ b/ihatemoney/tests/tests.py @@ -1076,7 +1076,6 @@ class APITestCase(IhatemoneyTestCase): "balance": {}, } decoded_resp = json.loads(resp.data.decode('utf-8')) - self.assertTrue(check_password_hash(decoded_resp.pop('password'), 'raclette')) self.assertDictEqual(decoded_resp, expected) # edit should work @@ -1101,15 +1100,27 @@ class APITestCase(IhatemoneyTestCase): "balance": {}, } decoded_resp = json.loads(resp.data.decode('utf-8')) - self.assertTrue(check_password_hash(decoded_resp.pop('password'), 'raclette')) self.assertDictEqual(decoded_resp, expected) - # delete should work - resp = self.client.delete("/api/projects/raclette", - headers=self.get_auth("raclette")) + # password change is possible via API + resp = self.client.put("/api/projects/raclette", data={ + "contact_email": "yeah@notmyidea.org", + "password": "tartiflette", + "name": "The raclette party", + }, headers=self.get_auth("raclette")) self.assertEqual(200, resp.status_code) + resp = self.client.get("/api/projects/raclette", + headers=self.get_auth( + "raclette", "tartiflette")) + self.assertEqual(200, resp.status_code) + + # delete should work + resp = self.client.delete("/api/projects/raclette", + headers=self.get_auth( + "raclette", "tartiflette")) + # get should return a 401 on an unknown resource resp = self.client.get("/api/projects/raclette", headers=self.get_auth("raclette")) @@ -1341,7 +1352,6 @@ class APITestCase(IhatemoneyTestCase): self.assertStatus(200, req) decoded_req = json.loads(req.data.decode('utf-8')) - self.assertTrue(check_password_hash(decoded_req.pop('password'), 'raclette')) self.assertDictEqual(decoded_req, expected) |