in password reset, also try lowercasing the email to see if that matches

apache · Jan 22, 2024 · a50d921 · a50d921
1 parent 81af7ab
commit a50d921
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 0 deletions.
diff --git a/Allura/allura/controllers/auth.py b/Allura/allura/controllers/auth.py
@@ -223,6 +223,11 @@ def password_recovery_hash(self, email=None, **kw):
             redirect('/')
 
         user_record = M.User.by_email_address(email, only_confirmed=False)
+        if not user_record and email != email.lower():
+            # try again lowercase
+            email = email.lower()
+            user_record = M.User.by_email_address(email, only_confirmed=False)
+
         allow_non_primary_email_reset = asbool(config.get('auth.allow_non_primary_email_password_reset', True))
 
         if not re.match(r"[^@]+@[^@]+\.[^@]+", email):

diff --git a/Allura/allura/tests/functional/test_auth.py b/Allura/allura/tests/functional/test_auth.py
@@ -1764,6 +1764,25 @@ def test_password_reset(self, gen_message_id, sendsimplemail):
         r = r.follow().follow()
         assert 'Log Out' in r, r
 
+
+    @patch('allura.tasks.mail_tasks.sendsimplemail')
+    @patch('allura.lib.helpers.gen_message_id')
+    def test_capitalized_email_entered(self, gen_message_id, sendmail):
+        self.app.get('/').follow()  # establish session
+        user = M.User.query.get(username='test-admin')
+        email = M.EmailAddress.find({'claimed_by_user_id': user._id}).first()
+        email.confirmed = True
+        ThreadLocalODMSession.flush_all()
+
+        # request a reset
+        with td.audits('Password recovery link sent to: ' + email.email, user=True):
+            r = self.app.post('/auth/password_recovery_hash', {'email': email.email.capitalize(),  # NOTE THIS
+                                                               '_session_id': self.app.cookies['_session_id'],
+                                                               })
+        # confirm it worked
+        hash = user.get_tool_data('AuthPasswordReset', 'hash')
+        assert hash is not None
+
     @patch('allura.tasks.mail_tasks.sendsimplemail')
     @patch('allura.lib.helpers.gen_message_id')
     def test_hash_expired(self, gen_message_id, sendmail):