From 0fb2d330c9f8b29fff4116c9cfd9e074700ac1f1 Mon Sep 17 00:00:00 2001 From: leela Date: Fri, 5 Mar 2021 14:16:41 +0530 Subject: [PATCH] test: Fix rate limiting reset password test --- frappe/core/doctype/user/test_user.py | 21 ++++++++++++++------- frappe/core/doctype/user/user.py | 10 +++------- frappe/tests/test_rate_limiter.py | 22 ---------------------- 3 files changed, 17 insertions(+), 36 deletions(-) diff --git a/frappe/core/doctype/user/test_user.py b/frappe/core/doctype/user/test_user.py index d16db5fecd..8a8071423e 100644 --- a/frappe/core/doctype/user/test_user.py +++ b/frappe/core/doctype/user/test_user.py @@ -11,6 +11,7 @@ from frappe.utils import get_url from frappe.core.doctype.user.user import get_total_users from frappe.core.doctype.user.user import MaxUsersReachedError, test_password_strength from frappe.core.doctype.user.user import extract_mentions +from frappe.frappeclient import FrappeClient test_records = frappe.get_test_records('User') @@ -229,16 +230,22 @@ class TestUser(unittest.TestCase): self.assertEqual(extract_mentions(comment)[1], "test.again@example1.com") def test_rate_limiting_for_reset_password(self): - from frappe.utils.password import delete_password_reset_cache - delete_password_reset_cache() - + # Allow only one reset request for a day frappe.db.set_value("System Settings", "System Settings", "password_reset_limit", 1) + frappe.db.commit() - user = frappe.get_doc("User", "testperm@example.com") - link = user.reset_password() - self.assertRegex(link, "\/update-password\?key=[A-Za-z0-9]*") + url = get_url() + data={'cmd': 'frappe.core.doctype.user.user.reset_password', 'user': 'test@test.com'} - self.assertRaises(frappe.ValidationError, user.reset_password, False) + # Clear rate limit tracker to start fresh + key = f"rl:{data['cmd']}:{data['user']}" + frappe.cache().delete(key) + + c = FrappeClient(url) + res1 = c.session.post(url, data=data, verify=c.verify, headers=c.headers) + res2 = c.session.post(url, data=data, verify=c.verify, headers=c.headers) + self.assertEqual(res1.status_code, 200) + self.assertEqual(res2.status_code, 417) def test_user_rollback(self): """ """ diff --git a/frappe/core/doctype/user/user.py b/frappe/core/doctype/user/user.py index 573dcd7f17..c103ad7e4a 100644 --- a/frappe/core/doctype/user/user.py +++ b/frappe/core/doctype/user/user.py @@ -6,6 +6,9 @@ from __future__ import unicode_literals, print_function from bs4 import BeautifulSoup import frappe +import frappe.share +import frappe.defaults +import frappe.permissions from frappe.model.document import Document from frappe.utils import cint, flt, has_gravatar, escape_html, format_datetime, now_datetime, get_formatted_email, today from frappe import throw, msgprint, _ @@ -1170,10 +1173,3 @@ def generate_keys(user): def switch_theme(theme): if theme in ["Dark", "Light"]: frappe.db.set_value("User", frappe.session.user, "desk_theme", theme) - -@frappe.whitelist(allow_guest=True) -@rate_limit(key='user', limit=2, seconds = 60*60) -def test_ratelimit(user): - """This endpoint is used by testcases to check the ratelimit is functioning as expected. - """ - return diff --git a/frappe/tests/test_rate_limiter.py b/frappe/tests/test_rate_limiter.py index 68d463ef74..ae1857bb31 100644 --- a/frappe/tests/test_rate_limiter.py +++ b/frappe/tests/test_rate_limiter.py @@ -13,8 +13,6 @@ import frappe import frappe.rate_limiter from frappe.rate_limiter import RateLimiter from frappe.utils import cint -from frappe.frappeclient import FrappeClient -from frappe.utils.data import get_url class TestRateLimiter(unittest.TestCase): @@ -118,23 +116,3 @@ class TestRateLimiter(unittest.TestCase): self.assertEqual(limiter.duration, cint(frappe.cache().get(limiter.key))) frappe.cache().delete(limiter.key) - - def test_rate_limit_decorator(self): - """Check that rate limit decorator raises 417 when limit is crossed. - """ - url = get_url() - data={'cmd': 'frappe.core.doctype.user.user.test_ratelimit', 'user': 'test@test.com'} - - # Clear rate limit tracker to start fresh - key = f"rl:{data['cmd']}:{data['user']}" - frappe.cache().delete(key) - - c = FrappeClient(url) - res1 = c.session.post(url, data=data, verify=c.verify, headers=c.headers) - res2 = c.session.post(url, data=data, verify=c.verify, headers=c.headers) - res3 = c.session.post(url, data=data, verify=c.verify, headers=c.headers) - - self.assertEqual(res1.status_code, 200) - self.assertEqual(res2.status_code, 200) - self.assertEqual(res3.status_code, 417) -