Browse Source

Fix the unsubscribe_reports view to handle already deleted users

pull/551/head
Pēteris Caune 3 years ago
parent
commit
c3d458f6f0
No known key found for this signature in database GPG Key ID: E28D7679E9A9EDE2
2 changed files with 23 additions and 6 deletions
  1. +9
    -0
      hc/accounts/tests/test_unsubscribe_reports.py
  2. +14
    -6
      hc/accounts/views.py

+ 9
- 0
hc/accounts/tests/test_unsubscribe_reports.py View File

@ -51,3 +51,12 @@ class UnsubscribeReportsTestCase(BaseTestCase):
r = self.client.get(url)
self.assertContains(r, "Please press the button below")
self.assertContains(r, "submit()")
def test_it_handles_missing_user(self):
self.alice.delete()
sig = signing.TimestampSigner(salt="reports").sign("alice")
url = "/accounts/unsubscribe_reports/%s/" % sig
r = self.client.post(url)
self.assertContains(r, "Unsubscribed")

+ 14
- 6
hc/accounts/views.py View File

@ -555,7 +555,6 @@ def unsubscribe_reports(request, signed_username):
# If the signature is more than 5 minutes old, we also include JS code to
# auto-submit the form.
ctx = {}
signer = signing.TimestampSigner(salt="reports")
# First, check the signature without looking at the timestamp:
try:
@ -563,16 +562,25 @@ def unsubscribe_reports(request, signed_username):
except signing.BadSignature:
return render(request, "bad_link.html")
# Check if timestamp is older than 5 minutes:
try:
username = signer.unsign(signed_username, max_age=300)
except signing.SignatureExpired:
ctx["autosubmit"] = True
user = User.objects.get(username=username)
except User.DoesNotExist:
# This is likely an old unsubscribe link, and the user account has already
# been deleted. Show the "Unsubscribed!" page nevertheless.
return render(request, "accounts/unsubscribed.html")
if request.method != "POST":
# Unsign again, now with max_age set,
# to see if the timestamp is older than 5 minutes
try:
autosubmit = False
username = signer.unsign(signed_username, max_age=300)
except signing.SignatureExpired:
autosubmit = True
ctx = {"autosubmit": autosubmit}
return render(request, "accounts/unsubscribe_submit.html", ctx)
user = User.objects.get(username=username)
profile = Profile.objects.for_user(user)
profile.reports = "off"
profile.next_report_date = None


Loading…
Cancel
Save