Merged origin/trunk into ax-email-verified.

3 files changed, 83 insertions, 50 deletions

diff --git a/django_openid_auth/tests/test_auth.py b/django_openid_auth/tests/test_auth.py
index 635484b..cb4570b 100644
--- a/django_openid_auth/tests/test_auth.py
+++ b/django_openid_auth/tests/test_auth.py
@@ -192,37 +192,49 @@ class OpenIDBackendTests(TestCase):
         self.assertEqual("Some56789012345678901234567890",  user.first_name)
         self.assertEqual("User56789012345678901234567890",  user.last_name)
 
-    def test_update_user_openid_unverified(self):
-        response = self.make_response_ax()
-        user = User.objects.create_user('someuser', 'someuser@example.com',
-            password=None)
+    def make_user(self, username='someuser', email='someuser@example.com',
+                password=None):
+        user = User.objects.create_user(username, email, password=password)
+        return user
+
+    def make_user_openid(self, user=None,
+                         claimed_id='http://example.com/existing_identity',
+                         display_id='http://example.com/existing_identity'):
+        if user is None:
+            user = self.make_user()
         user_openid, created = UserOpenID.objects.get_or_create(
-            user=user,
-            claimed_id='http://example.com/existing_identity',
-            display_id='http://example.com/existing_identity',
-            account_verified=False)
-        data = dict(first_name=u"Some56789012345678901234567890123",
-            last_name=u"User56789012345678901234567890123",
-            email=u"someotheruser@example.com", account_verified=False)
+            user=user, claimed_id=claimed_id, display_id=display_id)
+        return user_openid
 
-        self.backend.update_user_details(user_openid, data, response)
-        self.assertFalse(user_openid.account_verified)
+    def _test_account_verified(self, user_openid, verified, expected):
+        # set user's verification status
+        user_openid.account_verified = verified
 
-    def test_update_user_openid_verified(self):
+        # get a response including verification status
         response = self.make_response_ax()
-        user = User.objects.create_user('someuser', 'someuser@example.com',
-            password=None)
-        user_openid, created = UserOpenID.objects.get_or_create(
-            user=user,
-            claimed_id='http://example.com/existing_identity',
-            display_id='http://example.com/existing_identity',
-            account_verified=False)
         data = dict(first_name=u"Some56789012345678901234567890123",
             last_name=u"User56789012345678901234567890123",
-            email=u"someotheruser@example.com", account_verified=True)
-
+            email=u"someotheruser@example.com", account_verified=expected)
         self.backend.update_user_details(user_openid, data, response)
-        self.assertTrue(user_openid.account_verified)
+
+        # refresh object from the database
+        user_openid = UserOpenID.objects.get(pk=user_openid.pk)
+        # check the verification status
+        self.assertEqual(user_openid.account_verified, expected)
+        self.assertEqual(user_openid.user.has_perm(
+            'django_openid_auth.account_verified'), expected)
+
+    def test_update_user_openid_unverified(self):
+        user_openid = self.make_user_openid()
+
+        for verified in (False, True):
+            self._test_account_verified(user_openid, verified, expected=False)
+
+    def test_update_user_openid_verified(self):
+        user_openid = self.make_user_openid()
+
+        for verified in (False, True):
+            self._test_account_verified(user_openid, verified, expected=True)
 
     def test_extract_user_details_name_with_trailing_space(self):
         response = self.make_response_ax(fullname="SomeUser ")
diff --git a/django_openid_auth/tests/test_views.py b/django_openid_auth/tests/test_views.py
index 6c21036..3ebe34e 100644
--- a/django_openid_auth/tests/test_views.py
+++ b/django_openid_auth/tests/test_views.py
@@ -153,7 +153,7 @@ class DummyDjangoRequest(object):
 
     def build_absolute_uri(self):
         return self.META['SCRIPT_NAME'] + self.request_path
-        
+
     def _combined_request(self):
         request = {}
         request.update(self.POST)
@@ -430,7 +430,7 @@ class RelyingPartyTests(TestCase):
         settings.OPENID_PHYSICAL_MULTIFACTOR_REQUIRED = True
         preferred_auth = pape.AUTH_MULTI_FACTOR_PHYSICAL
         self.provider.type_uris.append(pape.ns_uri)
-        
+
         openid_req = {'openid_identifier': 'http://example.com/identity',
                'next': '/getuser/'}
         response = self.client.post('/openid/login/', openid_req)
@@ -480,7 +480,7 @@ class RelyingPartyTests(TestCase):
 
         query = self.parse_query_string(response.request['QUERY_STRING'])
         self.assertTrue('openid.pape.auth_policies' in query)
-        self.assertEqual(query['openid.pape.auth_policies'], 
+        self.assertEqual(query['openid.pape.auth_policies'],
                 quote_plus(preferred_auth))
 
         response = self.client.get('/getuser/')
@@ -509,7 +509,7 @@ class RelyingPartyTests(TestCase):
         Consumer.complete = mock_complete
 
         user = User.objects.create_user('testuser', 'test@example.com')
-        useropenid = UserOpenID(    
+        useropenid = UserOpenID(
             user=user,
             claimed_id='http://example.com/identity',
             display_id='http://example.com/identity',
@@ -565,7 +565,7 @@ class RelyingPartyTests(TestCase):
         Consumer.complete = mock_complete
 
         user = User.objects.create_user('testuser', 'test@example.com')
-        useropenid = UserOpenID(    
+        useropenid = UserOpenID(
             user=user,
             claimed_id='http://example.com/identity',
             display_id='http://example.com/identity',
@@ -965,7 +965,7 @@ class RelyingPartyTests(TestCase):
            self.assertTrue(isinstance(exception, (RequiredAttributeNotReturned, MissingUsernameViolation)))
            return HttpResponse('Test Failure Override', status=200)
         settings.OPENID_RENDER_FAILURE = mock_login_failure_handler
-        
+
         # Posting in an identity URL begins the authentication request:
         response = self.client.post('/openid/login/',
             {'openid_identifier': 'http://example.com/identity',
@@ -983,7 +983,7 @@ class RelyingPartyTests(TestCase):
                            'email': 'foo@example.com'})
         openid_response.addExtension(sreg_response)
         response = self.complete(openid_response)
-            
+
         # Status code should be 200, since we over-rode the login_failure handler
         self.assertEquals(200, response.status_code)
         self.assertContains(response, 'Test Failure Override')
@@ -1062,7 +1062,7 @@ class RelyingPartyTests(TestCase):
                            'email': 'foo@example.com'})
         openid_response.addExtension(sreg_response)
         response = self.complete(openid_response)
-        
+
         # Status code should be 200, since we over-rode the login_failure handler
         self.assertEquals(200, response.status_code)
         self.assertContains(response, 'Test Failure Override')
@@ -1164,14 +1164,14 @@ class RelyingPartyTests(TestCase):
         self.assertEqual(['email', 'language'], sreg_request.required)
         self.assertEqual(['fullname', 'nickname'], sreg_request.optional)
 
-    def check_login_attribute_exchange(self, validation_type, is_verified):
+    def check_login_attribute_exchange(self, validation_type, is_verified,
+                                       request_account_verified=True):
         settings.OPENID_UPDATE_DETAILS_FROM_SREG = True
         user = User.objects.create_user('testuser', 'someone@example.com')
         useropenid = UserOpenID(
             user=user,
             claimed_id='http://example.com/identity',
-            display_id='http://example.com/identity',
-            account_verified=False)
+            display_id='http://example.com/identity')
         useropenid.save()
 
         # Configure the provider to advertise attribute exchange
@@ -1208,8 +1208,10 @@ class RelyingPartyTests(TestCase):
         self.assertTrue(fetch_request.has_key(
                 'http://schema.openid.net/namePerson/friendly'))
         # Account verification:
-        self.assertTrue(fetch_request.has_key(
-                'http://ns.login.ubuntu.com/2013/validation/account'))
+        self.assertEqual(
+            fetch_request.has_key(
+                'http://ns.login.ubuntu.com/2013/validation/account'),
+            request_account_verified)
 
         # Build up a response including AX data.
         openid_response = openid_request.answer(True)
@@ -1248,27 +1250,35 @@ class RelyingPartyTests(TestCase):
         user_openid = UserOpenID.objects.get(user=user)
         self.assertEqual(user_openid.account_verified, is_verified)
 
-    def test_login_attribute_exchange_with_validation(self):
+    def test_login_attribute_exchange_with_verification(self):
         settings.OPENID_VALID_VERIFICATION_SCHEMES = {
             self.provider.endpoint_url: ('token_via_email',),
         }
         self.check_login_attribute_exchange('token_via_email',
                                             is_verified=True)
 
-    def test_login_attribute_exchange_without_validation(self):
+    def test_login_attribute_exchange_without_verification(self):
         settings.OPENID_VALID_VERIFICATION_SCHEMES = {
             self.provider.endpoint_url: ('token_via_email',),
         }
         self.check_login_attribute_exchange(None, is_verified=False)
 
-    def test_login_attribute_exchange_unrecognised_validation(self):
+    def test_login_attribute_exchange_without_account_verified(self):
+        # don't request account_verified attribute in AX request (as there are
+        # no valid verificatation schemes defined)
+        # and check account verification status is left unmodified
+        # (it's set to False by default for a new user)
+        self.check_login_attribute_exchange(None, is_verified=False,
+                                            request_account_verified=False)
+
+    def test_login_attribute_exchange_unrecognised_verification(self):
         settings.OPENID_VALID_VERIFICATION_SCHEMES = {
             self.provider.endpoint_url: ('token_via_email',),
         }
         self.check_login_attribute_exchange('unrecognised_scheme',
                                             is_verified=False)
 
-    def test_login_attribute_exchange_different_default_validation(self):
+    def test_login_attribute_exchange_different_default_verification(self):
         settings.OPENID_VALID_VERIFICATION_SCHEMES = {
             None: ('token_via_email', 'sms'),
             'http://otherprovider/': ('unrecognised_scheme',),
@@ -1276,7 +1286,7 @@ class RelyingPartyTests(TestCase):
         self.check_login_attribute_exchange('unrecognised_scheme',
                                             is_verified=False)
 
-    def test_login_attribute_exchange_matched_default_validation(self):
+    def test_login_attribute_exchange_matched_default_verification(self):
         settings.OPENID_VALID_VERIFICATION_SCHEMES = {
             None: ('token_via_email',),
             'http://otherprovider/': ('unrecognised_scheme',),
@@ -1449,7 +1459,7 @@ class RelyingPartyTests(TestCase):
         self.assertTrue(self.signal_handler_called)
         openid_login_complete.disconnect(login_callback)
 
-    
+
 class HelperFunctionsTest(TestCase):
     def test_sanitise_redirect_url(self):
         settings.ALLOWED_EXTERNAL_OPENID_REDIRECT_DOMAINS = [
diff --git a/django_openid_auth/views.py b/django_openid_auth/views.py
index 244d9a8..50d74e8 100644
--- a/django_openid_auth/views.py
+++ b/django_openid_auth/views.py
@@ -169,7 +169,6 @@ def login_begin(request, template_name='openid/login.html',
                     redirect_field_name: redirect_to
                     }, context_instance=RequestContext(request))
 
-    error = None
     consumer = make_consumer(request)
     try:
         openid_request = consumer.begin(openid_url)
@@ -180,7 +179,8 @@ def login_begin(request, template_name='openid/login.html',
 
     # Request some user details.  If the provider advertises support
     # for attribute exchange, use that.
-    if openid_request.endpoint.supportsType(ax.AXMessage.ns_uri):
+    endpoint = openid_request.endpoint
+    if endpoint.supportsType(ax.AXMessage.ns_uri):
         fetch_request = ax.FetchRequest()
         # We mark all the attributes as required, since Google ignores
         # optional attributes.  We request both the full name and
@@ -198,10 +198,21 @@ def login_begin(request, template_name='openid/login.html',
                 ('http://schema.openid.net/contact/email', 'old_email'),
                 ('http://schema.openid.net/namePerson', 'old_fullname'),
                 ('http://schema.openid.net/namePerson/friendly',
-                 'old_nickname'),
-                ('http://ns.login.ubuntu.com/2013/validation/account',
-                 'account_verified')]:
+                 'old_nickname')]:
             fetch_request.add(ax.AttrInfo(attr, alias=alias, required=True))
+
+        # conditionally require account_verified attribute
+        verification_scheme_map = getattr(
+            settings, 'OPENID_VALID_VERIFICATION_SCHEMES', {})
+        valid_schemes = verification_scheme_map.get(
+            endpoint.server_url, verification_scheme_map.get(None, ()))
+        if valid_schemes:
+            # there are valid schemes configured for this endpoint, so
+            # request account_verified status
+            fetch_request.add(ax.AttrInfo(
+                'http://ns.login.ubuntu.com/2013/validation/account',
+                alias='account_verified', required=True))
+
         openid_request.addExtension(fetch_request)
     else:
         sreg_required_fields = []
@@ -216,7 +227,7 @@ def login_begin(request, template_name='openid/login.html',
         openid_request.addExtension(
             sreg.SRegRequest(optional=sreg_optional_fields,
                 required=sreg_required_fields))
-            
+
     if getattr(settings, 'OPENID_PHYSICAL_MULTIFACTOR_REQUIRED', False):
         preferred_auth = [
             pape.AUTH_MULTI_FACTOR_PHYSICAL,
@@ -273,7 +284,7 @@ def login_complete(request, redirect_field_name=REDIRECT_FIELD_NAME,
             user = authenticate(openid_response=openid_response)
         except DjangoOpenIDException, e:
             return render_failure(request, e.message, exception=e)
-            
+
         if user is not None:
             if user.is_active:
                 auth_login(request, user)