From d69c39cad1ed68123a78f55fdf91cd18e9eda514 Mon Sep 17 00:00:00 2001
From: Tim Abbott <tabbott@zulipchat.com>
Date: Tue, 24 Oct 2017 11:44:01 -0700
Subject: [PATCH] ldap: Prevent useless password resets when email auth is not
 enabled.

While the passwords wouldn't do anything without email auth enabled
anyway, it's probably better not to have users be able to go through
the flow.
---
 zerver/forms.py             |  4 ++--
 zerver/tests/test_signup.py | 19 +++++++++++++++++++
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/zerver/forms.py b/zerver/forms.py
index 299686436a..3a93b4617b 100644
--- a/zerver/forms.py
+++ b/zerver/forms.py
@@ -26,7 +26,7 @@ from zerver.lib.subdomains import get_subdomain, check_subdomain, is_root_domain
 from zerver.lib.users import check_full_name
 from zerver.models import Realm, get_user_profile_by_email, UserProfile, \
     get_realm, email_to_domain, email_allowed_for_realm
-from zproject.backends import password_auth_enabled
+from zproject.backends import email_auth_enabled
 
 import logging
 import re
@@ -191,7 +191,7 @@ class ZulipPasswordResetForm(PasswordResetForm):
         users who don't have a usable password to reset their
         passwords.
         """
-        if not password_auth_enabled:
+        if not email_auth_enabled():
             logging.info("Password reset attempted for %s even though password auth is disabled." % (email,))
             return []
         result = UserProfile.objects.filter(email__iexact=email, is_active=True,
diff --git a/zerver/tests/test_signup.py b/zerver/tests/test_signup.py
index 275e010e66..d2f40cdf7d 100644
--- a/zerver/tests/test_signup.py
+++ b/zerver/tests/test_signup.py
@@ -250,6 +250,25 @@ class PasswordResetTest(ZulipTestCase):
         self.assertIn("Psst. Word on the street is that you",
                       message.body)
 
+    @override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',
+                                                'zproject.backends.ZulipDummyBackend'))
+    def test_ldap_auth_only(self):
+        # type: () -> None
+        """If the email auth backend is not enabled, password reset should do nothing"""
+        email = self.example_email("hamlet")
+        result = self.client_post('/accounts/password/reset/', {'email': email})
+
+        # check the redirect link telling you to check mail for password reset link
+        self.assertEqual(result.status_code, 302)
+        self.assertTrue(result["Location"].endswith(
+            "/accounts/password/reset/done/"))
+        result = self.client_get(result["Location"])
+
+        self.assert_in_response("Check your email to finish the process.", result)
+
+        from django.core.mail import outbox
+        self.assertEqual(len(outbox), 0)
+
     def test_redirect_endpoints(self):
         # type: () -> None
         '''