From 0e2aebd036fd49386f373327d933dd380b14b649 Mon Sep 17 00:00:00 2001 From: "Haelwenn (lanodan) Monnier" Date: Tue, 10 Aug 2021 20:33:00 +0200 Subject: [PATCH] TwitterAPI: Make change_email require body params instead of query Backport of: https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3503 --- CHANGELOG.md | 2 +- .../operations/twitter_util_operation.ex | 19 +++++-- .../controllers/util_controller.ex | 6 +-- .../web/twitter_api/util_controller_test.exs | 51 ++++++++----------- 4 files changed, 39 insertions(+), 39 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 14e04c053..13469d8d8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,7 +19,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ### Fixed - MastodonAPI: Stream out Create activities - MRF ObjectAgePolicy: Fix pattern matching on "published" -- TwitterAPI: Make `change_password` require params on body instead of query +- TwitterAPI: Make `change_password` and `change_email` require params on body instead of query ## 2.4.0 - 2021-08-08 diff --git a/lib/pleroma/web/api_spec/operations/twitter_util_operation.ex b/lib/pleroma/web/api_spec/operations/twitter_util_operation.ex index bc54f1915..879b2227e 100644 --- a/lib/pleroma/web/api_spec/operations/twitter_util_operation.ex +++ b/lib/pleroma/web/api_spec/operations/twitter_util_operation.ex @@ -101,11 +101,7 @@ def change_email_operation do summary: "Change account email", security: [%{"oAuth" => ["write:accounts"]}], operationId: "UtilController.change_email", - parameters: [ - Operation.parameter(:password, :query, :string, "Current password", required: true), - Operation.parameter(:email, :query, :string, "New email", required: true) - ], - requestBody: nil, + requestBody: request_body("Parameters", change_email_request(), required: true), responses: %{ 200 => Operation.response("Success", "application/json", %Schema{ @@ -118,6 +114,19 @@ def change_email_operation do } end + defp change_email_request do + %Schema{ + title: "ChangeEmailRequest", + description: "POST body for changing the account's email", + type: :object, + required: [:email, :password], + properties: %{ + email: %Schema{type: :string, description: "New email"}, + password: %Schema{type: :string, description: "Current password"} + } + } + end + def update_notificaton_settings_operation do %Operation{ tags: ["Accounts"], diff --git a/lib/pleroma/web/twitter_api/controllers/util_controller.ex b/lib/pleroma/web/twitter_api/controllers/util_controller.ex index 58a733258..ef43f7682 100644 --- a/lib/pleroma/web/twitter_api/controllers/util_controller.ex +++ b/lib/pleroma/web/twitter_api/controllers/util_controller.ex @@ -104,10 +104,10 @@ def change_password(%{assigns: %{user: user}, body_params: body_params} = conn, end end - def change_email(%{assigns: %{user: user}} = conn, %{password: password, email: email}) do - case CommonAPI.Utils.confirm_current_password(user, password) do + def change_email(%{assigns: %{user: user}, body_params: body_params} = conn, %{}) do + case CommonAPI.Utils.confirm_current_password(user, body_params.password) do {:ok, user} -> - with {:ok, _user} <- User.change_email(user, email) do + with {:ok, _user} <- User.change_email(user, body_params.email) do json(conn, %{status: "success"}) else {:error, changeset} -> diff --git a/test/pleroma/web/twitter_api/util_controller_test.exs b/test/pleroma/web/twitter_api/util_controller_test.exs index fe3d99272..f030483d8 100644 --- a/test/pleroma/web/twitter_api/util_controller_test.exs +++ b/test/pleroma/web/twitter_api/util_controller_test.exs @@ -261,11 +261,8 @@ test "without permissions", %{conn: conn} do conn = conn |> assign(:token, nil) - |> post( - "/api/pleroma/change_email?#{ - URI.encode_query(%{password: "hi", email: "test@test.com"}) - }" - ) + |> put_req_header("content-type", "multipart/form-data") + |> post("/api/pleroma/change_email", %{password: "hi", email: "test@test.com"}) assert json_response_and_validate_schema(conn, 403) == %{ "error" => "Insufficient permissions: write:accounts." @@ -274,12 +271,9 @@ test "without permissions", %{conn: conn} do test "with proper permissions and invalid password", %{conn: conn} do conn = - post( - conn, - "/api/pleroma/change_email?#{ - URI.encode_query(%{password: "hi", email: "test@test.com"}) - }" - ) + conn + |> put_req_header("content-type", "multipart/form-data") + |> post("/api/pleroma/change_email", %{password: "hi", email: "test@test.com"}) assert json_response_and_validate_schema(conn, 200) == %{"error" => "Invalid password."} end @@ -288,10 +282,9 @@ test "with proper permissions, valid password and invalid email", %{ conn: conn } do conn = - post( - conn, - "/api/pleroma/change_email?#{URI.encode_query(%{password: "test", email: "foobar"})}" - ) + conn + |> put_req_header("content-type", "multipart/form-data") + |> post("/api/pleroma/change_email", %{password: "test", email: "foobar"}) assert json_response_and_validate_schema(conn, 200) == %{ "error" => "Email has invalid format." @@ -301,7 +294,10 @@ test "with proper permissions, valid password and invalid email", %{ test "with proper permissions, valid password and no email", %{ conn: conn } do - conn = post(conn, "/api/pleroma/change_email?#{URI.encode_query(%{password: "test"})}") + conn = + conn + |> put_req_header("content-type", "multipart/form-data") + |> post("/api/pleroma/change_email", %{password: "test"}) assert %{"error" => "Missing field: email."} = json_response_and_validate_schema(conn, 400) end @@ -310,10 +306,9 @@ test "with proper permissions, valid password and blank email", %{ conn: conn } do conn = - post( - conn, - "/api/pleroma/change_email?#{URI.encode_query(%{password: "test", email: ""})}" - ) + conn + |> put_req_header("content-type", "multipart/form-data") + |> post("/api/pleroma/change_email", %{password: "test", email: ""}) assert json_response_and_validate_schema(conn, 200) == %{"error" => "Email can't be blank."} end @@ -324,10 +319,9 @@ test "with proper permissions, valid password and non unique email", %{ user = insert(:user) conn = - post( - conn, - "/api/pleroma/change_email?#{URI.encode_query(%{password: "test", email: user.email})}" - ) + conn + |> put_req_header("content-type", "multipart/form-data") + |> post("/api/pleroma/change_email", %{password: "test", email: user.email}) assert json_response_and_validate_schema(conn, 200) == %{ "error" => "Email has already been taken." @@ -338,12 +332,9 @@ test "with proper permissions, valid password and valid email", %{ conn: conn } do conn = - post( - conn, - "/api/pleroma/change_email?#{ - URI.encode_query(%{password: "test", email: "cofe@foobar.com"}) - }" - ) + conn + |> put_req_header("content-type", "multipart/form-data") + |> post("/api/pleroma/change_email", %{password: "test", email: "cofe@foobar.com"}) assert json_response_and_validate_schema(conn, 200) == %{"status" => "success"} end