Skip to content
Snippets Groups Projects
Unverified Commit 3a245f6c authored by reivilibre's avatar reivilibre Committed by GitHub
Browse files

Fix validation problem that occurs when a user tries to deactivate their...

Fix validation problem that occurs when a user tries to deactivate their account or change their password. (#13563)
parent 2c42673a
No related branches found
No related tags found
No related merge requests found
Improve validation of request bodies for the following client-server API endpoints: [`/account/password`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3accountpassword), [`/account/password/email/requestToken`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3accountpasswordemailrequesttoken), [`/account/deactivate`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3accountdeactivate) and [`/account/3pid/email/requestToken`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3account3pidemailrequesttoken).
...@@ -196,7 +196,7 @@ class PasswordRestServlet(RestServlet): ...@@ -196,7 +196,7 @@ class PasswordRestServlet(RestServlet):
params, session_id = await self.auth_handler.validate_user_via_ui_auth( params, session_id = await self.auth_handler.validate_user_via_ui_auth(
requester, requester,
request, request,
body.dict(), body.dict(exclude_unset=True),
"modify your account password", "modify your account password",
) )
except InteractiveAuthIncompleteError as e: except InteractiveAuthIncompleteError as e:
...@@ -219,7 +219,7 @@ class PasswordRestServlet(RestServlet): ...@@ -219,7 +219,7 @@ class PasswordRestServlet(RestServlet):
result, params, session_id = await self.auth_handler.check_ui_auth( result, params, session_id = await self.auth_handler.check_ui_auth(
[[LoginType.EMAIL_IDENTITY]], [[LoginType.EMAIL_IDENTITY]],
request, request,
body.dict(), body.dict(exclude_unset=True),
"modify your account password", "modify your account password",
) )
except InteractiveAuthIncompleteError as e: except InteractiveAuthIncompleteError as e:
...@@ -316,7 +316,7 @@ class DeactivateAccountRestServlet(RestServlet): ...@@ -316,7 +316,7 @@ class DeactivateAccountRestServlet(RestServlet):
await self.auth_handler.validate_user_via_ui_auth( await self.auth_handler.validate_user_via_ui_auth(
requester, requester,
request, request,
body.dict(), body.dict(exclude_unset=True),
"deactivate your account", "deactivate your account",
) )
result = await self._deactivate_account_handler.deactivate_account( result = await self._deactivate_account_handler.deactivate_account(
......
...@@ -322,3 +322,18 @@ class DeactivateAccountTestCase(HomeserverTestCase): ...@@ -322,3 +322,18 @@ class DeactivateAccountTestCase(HomeserverTestCase):
) )
), ),
) )
def test_deactivate_account_needs_auth(self) -> None:
"""
Tests that making a request to /deactivate with an empty body
succeeds in starting the user-interactive auth flow.
"""
req = self.make_request(
"POST",
"account/deactivate",
{},
access_token=self.token,
)
self.assertEqual(req.code, 401, req)
self.assertEqual(req.json_body["flows"], [{"stages": ["m.login.password"]}])
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment