Fixed #14881 -- Modified password reset to work with a non-integer UserModel.pk.

uid is now base64 encoded in password reset URLs/views. A backwards compatible password_reset_confirm view/URL will allow password reset links generated before this change to continue to work. This view will be removed in Django 1.7. Thanks jonash for the initial patch and claudep for the review.
2025-10-31 09:41:08 +00:00 · 2013-06-21 16:59:33 -04:00
parent b6a87f5c93
commit 1184d07789
13 changed files with 164 additions and 23 deletions
--- a/django/contrib/auth/tests/test_views.py
+++ b/django/contrib/auth/tests/test_views.py
@@ -13,7 +13,7 @@ from django.core import mail
 from django.core.urlresolvers import reverse, NoReverseMatch
 from django.http import QueryDict, HttpRequest
 from django.utils.encoding import force_text
-from django.utils.http import urlquote
+from django.utils.http import int_to_base36, urlsafe_base64_decode, urlquote
 from django.utils._os import upath
 from django.test import TestCase
 from django.test.utils import override_settings, patch_logger
@@ -91,7 +91,7 @@ class AuthViewNamedURLTests(AuthViewsTestCase):
            ('password_reset', [], {}),
            ('password_reset_done', [], {}),
            ('password_reset_confirm', [], {
-                'uidb36': 'aaaaaaa',
+                'uidb64': 'aaaaaaa',
                'token': '1111-aaaaa',
            }),
            ('password_reset_complete', [], {}),
@@ -193,6 +193,16 @@ class PasswordResetTest(AuthViewsTestCase):
        # redirect to a 'complete' page:
        self.assertContains(response, "Please enter your new password")

+    def test_confirm_valid_base36(self):
+        # Remove in Django 1.7
+        url, path = self._test_confirm_start()
+        path_parts = path.strip("/").split("/")
+        # construct an old style (base36) URL by converting the base64 ID
+        path_parts[1] = int_to_base36(int(urlsafe_base64_decode(path_parts[1])))
+        response = self.client.get("/%s/%s-%s/" % tuple(path_parts))
+        # redirect to a 'complete' page:
+        self.assertContains(response, "Please enter your new password")
+
    def test_confirm_invalid(self):
        url, path = self._test_confirm_start()
        # Let's munge the token in the path, but keep the same length,
@@ -204,11 +214,21 @@ class PasswordResetTest(AuthViewsTestCase):

    def test_confirm_invalid_user(self):
        # Ensure that we get a 200 response for a non-existant user, not a 404
+        response = self.client.get('/reset/123456/1-1/')
+        self.assertContains(response, "The password reset link was invalid")
+
+    def test_confirm_invalid_user_base36(self):
+        # Remove in Django 1.7
        response = self.client.get('/reset/123456-1-1/')
        self.assertContains(response, "The password reset link was invalid")

    def test_confirm_overflow_user(self):
        # Ensure that we get a 200 response for a base36 user id that overflows int
+        response = self.client.get('/reset/zzzzzzzzzzzzz/1-1/')
+        self.assertContains(response, "The password reset link was invalid")
+
+    def test_confirm_overflow_user_base36(self):
+        # Remove in Django 1.7
        response = self.client.get('/reset/zzzzzzzzzzzzz-1-1/')
        self.assertContains(response, "The password reset link was invalid")