External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-01-09 23:12:08 -03:30
Code Issues Packages Projects Releases Wiki Activity

Only refresh session if updating own password (#15426)

Browse Source 
Fixes bug where creating a new user will
request a new awx_sessionid cookie, invalidating
the previous session.

Do not refresh session if updating or
creating a password for a different user.

Signed-off-by: Seth Foster <fosterbseth@gmail.com>
This commit is contained in:
Seth Foster 2024-08-07 17:04:19 -04:00 committed by GitHub
parent 37b7a69303
commit 73b1536356
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 24 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
awx/api/serializers.py
View File

@ -1038,7 +1038,9 @@ class UserSerializer(BaseSerializer):
# as the modified user then inject a session key derived from
# the updated user to prevent logout. This is the logic used by
# the Django admin's own user_change_password view.
update_session_auth_hash(self.context['request'], obj)
if self.instance and self.context['request'].user.username == obj.username:
update_session_auth_hash(self.context['request'], obj)
elif not obj.password:
obj.set_unusable_password()
obj.save(update_fields=['password'])

21
awx/main/tests/functional/api/test_user.py
View File

@ -33,6 +33,27 @@ def test_fail_double_create_user(post, admin):
assert response.status_code == 400
@pytest.mark.django_db
def test_creating_user_retains_session(post, admin):
'''
Creating a new user should not refresh a new session id for the current user.
'''
with mock.patch('awx.api.serializers.update_session_auth_hash') as update_session_auth_hash:
response = post(reverse('api:user_list'), EXAMPLE_USER_DATA, admin)
assert response.status_code == 201
assert not update_session_auth_hash.called
@pytest.mark.django_db
def test_updating_own_password_refreshes_session(patch, admin):
'''
Updating your own password should refresh the session id.
'''
with mock.patch('awx.api.serializers.update_session_auth_hash') as update_session_auth_hash:
patch(reverse('api:user_detail', kwargs={'pk': admin.pk}), {'password': 'newpassword'}, admin, middleware=SessionMiddleware(mock.Mock()))
assert update_session_auth_hash.called
@pytest.mark.django_db
def test_create_delete_create_user(post, delete, admin):
response = post(reverse('api:user_list'), EXAMPLE_USER_DATA, admin, middleware=SessionMiddleware(mock.Mock()))