lp://staging/~maxiberta/canonical-identity-provider/vanilla-sshkeys-debug
- Get this branch:
- bzr branch lp://staging/~maxiberta/canonical-identity-provider/vanilla-sshkeys-debug
Branch merges
- Ubuntu One hackers: Pending requested
-
Diff: 53 lines (+6/-1)3 files modifieddjango_project/settings_devel.py (+2/-1)
src/webservices/launchpad.py (+3/-0)
src/webui/forms.py (+1/-0)
Branch information
Recent revisions
- 1709. By Jonathan Hartley
-
Unconditionally error if "not account.
can_reset_ password" Don't try to special-case "deactivated" accounts, since we cannot reach
this code with that account.status value.Don't special case "suspended" accounts, since that is the only
status value which can reach this bit of code.Instead, just unconditionally refuse to send the password reset
and return an error.There was a test of special-case for "deactivated" accounts,
but to reach that code, the test monkey-patched to create an
impossible situation. Without that patching, the test now
demonstrates what actually happens (both before this change
and after it) - i.e. a deactivated account can send a password
reset email.Add a comment about test assertions using mock_logging,
which actually do nothing.Fix a few comment typos.
Merged from https:/
/code.launchpad .net/~tartley/ canonical- identity- provider/ rm-deactivated- check/+ merge/377387 - 1708. By Jonathan Hartley
-
Remove code that cannot be reached.
The containing 'if not account.
can_reset_ password' ,
16 lines up from the deletion,
does not check whether there are any validated email addresses.
Instead it just checks that account.status must be either
Suspended or Deleted.Suspended accounts are handled by an early return,
9 lines up from the deletion.Deleted accounts also delete their associated email addresses,
so can not be retrieved by the Account.get_by_ email call
near the start of this method.There was a test for this deleted code,
but it monkey patched a fake value to make this code reachable.
I tried replacing the test with one that didn't do monkey patching
(e.g. using a deleted account would be the only way)
but was unable to make the code reachable.In practice, accounts with no validated email addresses pass
right by this code, and end up reading from account.preferredemail,
14 lines below the deletion,
which falls back to using a new email address.Merged from https:/
/code.launchpad .net/~tartley/ canonical- identity- provider/ rm-no-verified- address- para/+merge/ 377382 - 1707. By Jonathan Hartley
-
Test fail diagnostics for bad response status code.
If a response has an unexpected status code,
display the response content
and the expected/actual status codes.Merged from https:/
/code.launchpad .net/~tartley/ canonical- identity- provider/ status- code-diagnostic s/+merge/ 377377 - 1706. By Jonathan Hartley
-
Restore users ability to send password reset email to new addresses.
A branch was merged before Christmas to fix a security hole in the
password reset process. In that branch, out of an abundance of
caution, we also prevented password reset emails from being sent
to 'new' email addresses.
https://code.launchpad .net/~tartley/ canonical- identity- provider/ password- reset/+ merge/376991 On reflection, the latter part was more cautious than required.
This MP restores the ability for the password reset email logic
to fall back to using an account's 'new' email address if no
preferred or validated email addresses exist.Merged from https:/
/code.launchpad .net/~tartley/ canonical- identity- provider/ allow-new- emails/ +merge/ 377333 - 1705. By Karl Williams
-
Convert all error and logged-in user pages to Vanilla templates
Merged from https:/
/code.launchpad .net/~deadlight /canonical- identity- provider/ merge-3- user/+merge/ 375403 - 1704. By Jonathan Hartley
-
Prevent password reset security problem.
It's possible for an attacker to request a password reset
using a variation on an existing user's email which differs
only in case. For ASCII, this makes no difference, but for
unicode, different case may constitute a distinct email
address.In such a case, it's important we email the password reset
token to the user's email which we have stored and validated,
rather than the variant of it provided and controlled by
the attacker.If a user has no validated email address, we should not
send the password reset token to an unvalidated (new)
email address, which may not be read or may be controlled
by someone else. In this case we refuse to allow
password reset. The user can recover from this by
validating the email address they provided, or by
contacting support as they are prompted to do.Merged from https:/
/code.launchpad .net/~tartley/ canonical- identity- provider/ password- reset/+ merge/376991 - 1703. By Karl Williams
-
Convert templates for the registration and login flows to Vanilla
Merged from https:/
/code.launchpad .net/~deadlight /canonical- identity- provider/ merge-2- registration/ +merge/ 375393 - 1702. By Karl Williams
-
Update static pages on the site to use a Vanilla-based template.
- /+faq
- /one-redirect
- /+description
- /+ubuntuone-accountMerged from https:/
/code.launchpad .net/~deadlight /canonical- identity- provider/ merge-1- static/ +merge/ 375327 - 1701. By Maximiliano Bertacchini
-
Read-only mode 2FA: allow TOTP devices only, disable sync.
Merged from https:/
/code.launchpad .net/~maxiberta /canonical- identity- provider/ 2fa-readonly/ +merge/ 374530
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp://staging/canonical-identity-provider/release