Revision 0b817216

b/snf-astakos-app/astakos/im/tests/auth.py
650 650
        change2 = EmailChange.objects.get()
651 651

  
652 652
        r = self.client.get(change1.get_url())
653
        self.assertEquals(r.status_code, 302)
653
        self.assertEquals(r.status_code, 404)
654 654
        self.client.logout()
655 655

  
656
        invalid_client = Client()
657
        r = invalid_client.post('/im/local?',
658
                                {'username': 'existing@synnefo.org',
659
                                 'password': 'password'})
660
        r = invalid_client.get(change2.get_url(), follow=True)
661
        self.assertEquals(r.status_code, 403)
662

  
656 663
        r = self.client.post('/im/local?next=' + change2.get_url(),
657 664
                             {'username': 'kpap@synnefo.org',
658 665
                              'password': 'password',
......
819 826
        self.assertEqual(local_provider.get_login_policy, False)
820 827

  
821 828
        cl_olduser.logout()
822
        login_data = {'username': 'olduser@synnefo.org', 'password': 'password'}
829
        login_data = {'username': 'olduser@synnefo.org',
830
                      'password': 'password'}
823 831
        r = cl_olduser.post('/im/local', login_data, follow=True)
824 832
        self.assertContains(r, "href='/im/login/shibboleth'>Academic login")
825 833
        Group.objects.all().delete()
b/snf-astakos-app/astakos/im/views.py
781 781

  
782 782
    if activation_key:
783 783
        try:
784
            user = EmailChange.objects.change_email(activation_key)
785
            if request.user.is_authenticated() and \
786
                request.user == user or not \
784
            try:
785
                email_change = EmailChange.objects.get(
786
                    activation_key=activation_key)
787
            except EmailChange.DoesNotExist:
788
                transaction.rollback()
789
                logger.error("[change-email] Invalid or used activation "
790
                             "code, %s", activation_key)
791
                raise Http404
792

  
793
            if (request.user.is_authenticated() and \
794
                request.user == email_change.user) or not \
787 795
                    request.user.is_authenticated():
796
                user = EmailChange.objects.change_email(activation_key)
788 797
                msg = _(astakos_messages.EMAIL_CHANGED)
789 798
                messages.success(request, msg)
790 799
                transaction.commit()
791 800
                return HttpResponseRedirect(reverse('edit_profile'))
801
            else:
802
                logger.error("[change-email] Access from invalid user, %s %s",
803
                             email_change.user, request.user.log_display)
804
                transaction.rollback()
805
                raise PermissionDenied
792 806
        except ValueError, e:
793 807
            messages.error(request, e)
794 808
            transaction.rollback()

Also available in: Unified diff