From 16988a518848c9723f084fd141bf00cbaa5562d9 Mon Sep 17 00:00:00 2001 From: swayam0322 Date: Mon, 15 Jan 2024 04:58:49 +0530 Subject: [PATCH] find_account: Remove emails as URL parameters. Earlier, after a successful POST request on find accounts page users were redirected to a URL with the emails (submitted via form) as URL parameters. Those raw emails in the URL were used to display on a template. We no longer redirect to such a URL; instead, we directly render a template with emails passed as a context variable. Fixes part of #3128 --- zerver/tests/test_signup.py | 25 ++++++------------------ zerver/views/development/email_log.py | 2 +- zerver/views/registration.py | 28 +++++---------------------- 3 files changed, 12 insertions(+), 43 deletions(-) diff --git a/zerver/tests/test_signup.py b/zerver/tests/test_signup.py index 5a16be39fd..1c07efd1f0 100644 --- a/zerver/tests/test_signup.py +++ b/zerver/tests/test_signup.py @@ -4251,11 +4251,7 @@ class TestFindMyTeam(ZulipTestCase): result = self.client_post( "/accounts/find/", dict(emails="iago@zulip.com,cordeliA@zulip.com") ) - self.assertEqual(result.status_code, 302) - self.assertEqual( - result["Location"], "/accounts/find/?emails=iago%40zulip.com%2CcordeliA%40zulip.com" - ) - result = self.client_get(result["Location"]) + self.assertEqual(result.status_code, 200) content = result.content.decode() self.assertIn("Emails sent! You will only receive emails", content) self.assertIn("iago@zulip.com", content) @@ -4274,12 +4270,7 @@ class TestFindMyTeam(ZulipTestCase): result = self.client_post( "/accounts/find/", dict(emails="iago@zulip.com,invalid_email@zulip.com") ) - self.assertEqual(result.status_code, 302) - self.assertEqual( - result["Location"], - "/accounts/find/?emails=iago%40zulip.com%2Cinvalid_email%40zulip.com", - ) - result = self.client_get(result["Location"]) + self.assertEqual(result.status_code, 200) content = result.content.decode() self.assertIn("Emails sent! You will only receive emails", content) self.assertIn(self.example_email("iago"), content) @@ -4312,8 +4303,7 @@ class TestFindMyTeam(ZulipTestCase): def test_find_team_one_email(self) -> None: data = {"emails": self.example_email("hamlet")} result = self.client_post("/accounts/find/", data) - self.assertEqual(result.status_code, 302) - self.assertEqual(result["Location"], "/accounts/find/?emails=hamlet%40zulip.com") + self.assertEqual(result.status_code, 200) from django.core.mail import outbox self.assert_length(outbox, 1) @@ -4322,8 +4312,7 @@ class TestFindMyTeam(ZulipTestCase): do_deactivate_user(self.example_user("hamlet"), acting_user=None) data = {"emails": self.example_email("hamlet")} result = self.client_post("/accounts/find/", data) - self.assertEqual(result.status_code, 302) - self.assertEqual(result["Location"], "/accounts/find/?emails=hamlet%40zulip.com") + self.assertEqual(result.status_code, 200) from django.core.mail import outbox self.assert_length(outbox, 0) @@ -4332,8 +4321,7 @@ class TestFindMyTeam(ZulipTestCase): do_deactivate_realm(get_realm("zulip"), acting_user=None) data = {"emails": self.example_email("hamlet")} result = self.client_post("/accounts/find/", data) - self.assertEqual(result.status_code, 302) - self.assertEqual(result["Location"], "/accounts/find/?emails=hamlet%40zulip.com") + self.assertEqual(result.status_code, 200) from django.core.mail import outbox self.assert_length(outbox, 0) @@ -4341,8 +4329,7 @@ class TestFindMyTeam(ZulipTestCase): def test_find_team_bot_email(self) -> None: data = {"emails": self.example_email("webhook_bot")} result = self.client_post("/accounts/find/", data) - self.assertEqual(result.status_code, 302) - self.assertEqual(result["Location"], "/accounts/find/?emails=webhook-bot%40zulip.com") + self.assertEqual(result.status_code, 200) from django.core.mail import outbox self.assert_length(outbox, 0) diff --git a/zerver/views/development/email_log.py b/zerver/views/development/email_log.py index 2d570b9b2a..3da5aeed37 100644 --- a/zerver/views/development/email_log.py +++ b/zerver/views/development/email_log.py @@ -102,7 +102,7 @@ def generate_all_emails(request: HttpRequest) -> HttpResponse: # Find account email result = client.post("/accounts/find/", {"emails": registered_email}, HTTP_HOST=realm.host) - assert result.status_code == 302 + assert result.status_code == 200 # New login email logged_in = client.login(dev_auth_username=registered_email, realm=realm) diff --git a/zerver/views/registration.py b/zerver/views/registration.py index 04c0b827f6..7681fdf4a7 100644 --- a/zerver/views/registration.py +++ b/zerver/views/registration.py @@ -1067,15 +1067,16 @@ def accounts_home_from_multiuse_invite(request: HttpRequest, confirmation_key: s @has_request_variables -def find_account( - request: HttpRequest, raw_emails: Optional[str] = REQ("emails", default=None) -) -> HttpResponse: +def find_account(request: HttpRequest) -> HttpResponse: url = reverse("find_account") - + form = FindMyTeamForm() emails: List[str] = [] if request.method == "POST": form = FindMyTeamForm(request.POST) if form.is_valid(): + # Note: Show all the emails in the POST request response + # otherwise this feature can be used to ascertain which + # email addresses are associated with Zulip. emails = form.cleaned_data["emails"] for i in range(len(emails)): try: @@ -1124,25 +1125,6 @@ def find_account( from_address=FromAddress.SUPPORT, request=request, ) - - # Note: Show all the emails in the result otherwise this - # feature can be used to ascertain which email addresses - # are associated with Zulip. - data = urlencode({"emails": ",".join(emails)}) - return redirect(append_url_query_string(url, data)) - else: - form = FindMyTeamForm() - # The below validation is perhaps unnecessary, in that we - # shouldn't get able to get here with an invalid email unless - # the user hand-edits the URLs. - if raw_emails: - for email in raw_emails.split(","): - try: - validators.validate_email(email) - emails.append(email) - except ValidationError: - pass - return render( request, "zerver/find_account.html",