fix password reset not working on custom cp reset page

- avoid checking permissions when storing the token CPCN-434
superdesk · Oct 27, 2023 · 0cc4258 · 0cc4258
1 parent 896d0da
commit 0cc4258
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 11 deletions.
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -7,23 +7,29 @@ jobs:
   flake8:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
+        with:
+          python-version: '3.10'
       - run: pip install flake8
       - run: flake8
 
   mypy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
+        with:
+          python-version: '3.10'
       - run: pip install -Ur mypy-requirements.txt
       - run: mypy .
 
   black:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
+        with:
+          python-version: '3.10'
       - run: pip install black~=23.0
       - run: black --check .
diff --git a/newsroom/auth/utils.py b/newsroom/auth/utils.py
@@ -138,7 +138,7 @@ def send_token(user, token_type="validate", update_token=True):
         if update_token:
             updates = {}
             add_token_data(updates)
-            superdesk.get_resource_service("users").patch(id=bson.ObjectId(user["_id"]), updates=updates)
+            superdesk.get_resource_service("users").system_update(bson.ObjectId(user["_id"]), updates, user)
             token = updates["token"]
 
         if token_type == "validate":

diff --git a/newsroom/users/users.py b/newsroom/users/users.py
@@ -365,10 +365,6 @@ def check_permissions(self, doc, updates=None):
                 elif request and request.method == "DELETE" and doc.get("_id") != manager.get("_id"):
                     return
 
-        if request.url_rule and request.url_rule.rule:
-            if request.url_rule.rule in ["/reset_password/<token>", "/token/<token_type>"]:
-                return
-
         if request.method != "DELETE" and (
             not updated_fields or all([key in USER_PROFILE_UPDATES for key in updated_fields])
         ):