Skip to content

Commit dff77a6

Browse files
authored
Merge pull request #827 from open-craft/fox/teak-activation-patch
fix: remove activation_key from account REST API response
2 parents 36f199a + bb84543 commit dff77a6

4 files changed

Lines changed: 10 additions & 18 deletions

File tree

lms/envs/common.py

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4314,7 +4314,6 @@ def _make_locale_paths(settings): # pylint: disable=missing-function-docstring
43144314
"secondary_email_enabled",
43154315
"year_of_birth",
43164316
"phone_number",
4317-
"activation_key",
43184317
"pending_name_change",
43194318
]
43204319
)

openedx/core/djangoapps/user_api/accounts/serializers.py

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -142,11 +142,6 @@ def to_representation(self, user): # lint-amnesty, pylint: disable=arguments-di
142142
except ObjectDoesNotExist:
143143
account_recovery = None
144144

145-
try:
146-
activation_key = user.registration.activation_key
147-
except ObjectDoesNotExist:
148-
activation_key = None
149-
150145
data = {
151146
"username": user.username,
152147
"url": self.context.get('request').build_absolute_uri(
@@ -161,7 +156,6 @@ def to_representation(self, user): # lint-amnesty, pylint: disable=arguments-di
161156
"date_joined": user.date_joined.replace(microsecond=0),
162157
"last_login": user.last_login,
163158
"is_active": user.is_active,
164-
"activation_key": activation_key,
165159
"bio": None,
166160
"country": None,
167161
"state": None,

openedx/core/djangoapps/user_api/accounts/tests/test_api.py

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -635,7 +635,6 @@ def test_create_account(self):
635635
'id': user.id,
636636
'name': self.USERNAME,
637637
'verified_name': None,
638-
'activation_key': user.registration.activation_key,
639638
'gender': None, 'goals': '',
640639
'is_active': False,
641640
'level_of_education': None,

openedx/core/djangoapps/user_api/accounts/tests/test_views.py

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -358,8 +358,8 @@ class TestAccountsAPI(FilteredQueryCountMixin, CacheIsolationTestCase, UserAPITe
358358
"""
359359

360360
ENABLED_CACHES = ['default']
361-
TOTAL_QUERY_COUNT = 26
362-
FULL_RESPONSE_FIELD_COUNT = 29
361+
TOTAL_QUERY_COUNT = 25
362+
FULL_RESPONSE_FIELD_COUNT = 28
363363

364364
def setUp(self):
365365
super().setUp()
@@ -488,19 +488,19 @@ def test_get_account_unknown_user(self, api_client, user):
488488
("client", "user"),
489489
)
490490
@ddt.unpack
491-
def test_regsitration_activation_key(self, api_client, user):
491+
def test_regsitration_activation_key_not_exposed(self, api_client, user):
492492
"""
493-
Test that registration activation key has a value.
493+
Test that activation_key is NOT returned in the account API response.
494494
495-
UserFactory does not auto-generate registration object for the test users.
496-
It is created only for users that signup via email/API. Therefore, activation key has to be tested manually.
495+
The activation_key is a secret used for email verification and must not be
496+
exposed via the API, as doing so allows bypassing email verification.
497497
"""
498498
self.create_user_registration(self.user)
499499

500500
client = self.login_client(api_client, user)
501501
response = self.send_get(client)
502502

503-
assert response.data["activation_key"] is not None
503+
assert "activation_key" not in response.data
504504

505505
def test_successful_get_account_by_email(self):
506506
"""
@@ -811,12 +811,12 @@ def verify_get_own_information(queries):
811811
assert data['time_zone'] is None
812812

813813
self.client.login(username=self.user.username, password=TEST_PASSWORD)
814-
verify_get_own_information(self._get_num_queries(24))
814+
verify_get_own_information(self._get_num_queries(23))
815815

816816
# Now make sure that the user can get the same information, even if not active
817817
self.user.is_active = False
818818
self.user.save()
819-
verify_get_own_information(self._get_num_queries(16))
819+
verify_get_own_information(self._get_num_queries(15))
820820

821821
def test_get_account_empty_string(self):
822822
"""
@@ -831,7 +831,7 @@ def test_get_account_empty_string(self):
831831
legacy_profile.save()
832832

833833
self.client.login(username=self.user.username, password=TEST_PASSWORD)
834-
with self.assertNumQueries(self._get_num_queries(24), table_ignorelist=WAFFLE_TABLES):
834+
with self.assertNumQueries(self._get_num_queries(23), table_ignorelist=WAFFLE_TABLES):
835835
response = self.send_get(self.client)
836836
for empty_field in ("level_of_education", "gender", "country", "state", "bio",):
837837
assert response.data[empty_field] is None

0 commit comments

Comments
 (0)