diff --git a/tests/auth_tests/test_views.py b/tests/auth_tests/test_views.py index 9d669c5d85..861e5a9299 100644 --- a/tests/auth_tests/test_views.py +++ b/tests/auth_tests/test_views.py @@ -321,6 +321,17 @@ class PasswordResetTest(AuthViewsTestCase): self.assertRedirects(response, '/reset/done/', fetch_redirect_response=False) self.assertIn(SESSION_KEY, self.client.session) + def test_key_error_accessing_user_from_request_after_form_save(self): + self.login(username=self.u3.username, password='password') + url, path = self._test_confirm_start() + path = path.replace('/reset/', '/reset/key_error_reset_confirm/') + response = self.client.post(path, {'new_password1': 'anewpassword', 'new_password2': 'anewpassword'}) + # We don't get here KeyError: '_password_reset_token' + # Check the password has been changed + u = User.objects.get(email='staffmember@example.com') + self.assertTrue(u.check_password("anewpassword")) + self.assertRedirects(response, '/reset/done/', fetch_redirect_response=False) + @override_settings( AUTHENTICATION_BACKENDS=[ 'django.contrib.auth.backends.ModelBackend', diff --git a/tests/auth_tests/urls.py b/tests/auth_tests/urls.py index e225ab9362..ed9b2f7978 100644 --- a/tests/auth_tests/urls.py +++ b/tests/auth_tests/urls.py @@ -1,7 +1,7 @@ from django.contrib import admin from django.contrib.auth import views from django.contrib.auth.decorators import login_required, permission_required -from django.contrib.auth.forms import AuthenticationForm +from django.contrib.auth.forms import AuthenticationForm, SetPasswordForm from django.contrib.auth.urls import urlpatterns as auth_urlpatterns from django.contrib.messages.api import info from django.http import HttpRequest, HttpResponse @@ -78,6 +78,28 @@ def login_and_permission_required_exception(request): pass +class KeyErrorSetPasswordForm(SetPasswordForm): + def __init__(self, *args, request=None, **kwargs): + super().__init__(*args, **kwargs) + self.request = request + + def save(self, commit=True): + user = super().save(commit) + # Access attribute on user via request, triggering flush of session that + # later leads to key error. + self.request.user.is_anonymous + return user + + +class KeyErrorPasswordResetConfirmView(views.PasswordResetConfirmView): + form_class = KeyErrorSetPasswordForm + + def get_form_kwargs(self): + kwargs = super().get_form_kwargs() + kwargs["request"] = self.request + return kwargs + + # special urls for auth test cases urlpatterns = auth_urlpatterns + [ path('logout/custom_query/', views.LogoutView.as_view(redirect_field_name='follow')), @@ -127,6 +149,10 @@ urlpatterns = auth_urlpatterns + [ post_reset_login_backend='django.contrib.auth.backends.AllowAllUsersModelBackend', ), ), + path( + 'reset/key_error_reset_confirm///', + KeyErrorPasswordResetConfirmView.as_view(), + ), path('password_change/custom/', views.PasswordChangeView.as_view(success_url='/custom/')), path('password_change/custom/named/',