stages/user_write: don't update session hash after password change when impersonating

2020-10-18 22:58:05 +02:00 · 2020-10-18 22:58:05 +02:00 · 1d85874f41
parent ff64182ae8
commit 1d85874f41
2 changed files with 4 additions and 1 deletions
--- a/passbook/root/settings.py
+++ b/passbook/root/settings.py
@ -18,9 +18,9 @@ from json import dumps
 import structlog
 from celery.schedules import crontab
 from sentry_sdk import init as sentry_init
-from sentry_sdk.integrations.redis import RedisIntegration
 from sentry_sdk.integrations.celery import CeleryIntegration
 from sentry_sdk.integrations.django import DjangoIntegration
+from sentry_sdk.integrations.redis import RedisIntegration

 from passbook import __version__
 from passbook.core.middleware import structlog_add_request_id
--- a/passbook/stages/user_write/stage.py
+++ b/passbook/stages/user_write/stage.py
@ -6,6 +6,7 @@ from django.http import HttpRequest, HttpResponse
 from django.utils.translation import gettext as _
 from structlog import get_logger

+from passbook.core.middleware import SESSION_IMPERSONATE_USER
 from passbook.core.models import User
 from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER
 from passbook.flows.stage import StageView
@ -41,10 +42,12 @@ class UserWriteStageView(StageView):
        user = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
        # Before we change anything, check if the user is the same as in the request
        # and we're updating a password. In that case we need to update the session hash
+        # Also check that we're not currently impersonating, so we don't update the session
        should_update_seesion = False
        if (
            any(["password" in x for x in data.keys()])
            and self.request.user.pk == user.pk
+            and SESSION_IMPERSONATE_USER not in self.request.session
        ):
            should_update_seesion = True
        for key, value in data.items():