From 80101b0ca00f8861a8db46a5071cb34f26c409b5 Mon Sep 17 00:00:00 2001 From: Anton Krytskyi Date: Tue, 5 Aug 2025 11:55:25 +0300 Subject: [PATCH 1/2] remove csrf protection from reset password endpoint --- api/users/views.py | 1 - 1 file changed, 1 deletion(-) diff --git a/api/users/views.py b/api/users/views.py index 6387bcbcea9..a0ea1e171ee 100644 --- a/api/users/views.py +++ b/api/users/views.py @@ -897,7 +897,6 @@ def get(self, request, *args, **kwargs): ) return Response(status=status.HTTP_200_OK, data={'message': status_message, 'kind': kind, 'institutional': institutional}) - @method_decorator(csrf_protect) def post(self, request, *args, **kwargs): serializer = self.get_serializer(data=request.data) serializer.is_valid(raise_exception=True) From 00f0e6d74c62db96664f6b0051dd3b06f0f3c88e Mon Sep 17 00:00:00 2001 From: Anton Krytskyi Date: Tue, 5 Aug 2025 12:13:47 +0300 Subject: [PATCH 2/2] update test --- api_tests/users/views/test_user_settings.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/api_tests/users/views/test_user_settings.py b/api_tests/users/views/test_user_settings.py index cd4e25ff654..80f75303cdf 100644 --- a/api_tests/users/views/test_user_settings.py +++ b/api_tests/users/views/test_user_settings.py @@ -211,8 +211,7 @@ def test_get_invalid_email(self, app, url): assert res.status_code == 200 assert not mock_send_mail.called - def test_post(self, app, url, user_one, csrf_token): - app.set_cookie(CSRF_COOKIE_NAME, csrf_token) + def test_post(self, app, url, user_one): encoded_email = urllib.parse.quote(user_one.email) url = f'{url}?email={encoded_email}' res = app.get(url) @@ -227,7 +226,7 @@ def test_post(self, app, url, user_one, csrf_token): } } - res = app.post_json_api(url, payload, headers={'X-CSRFToken': csrf_token}) + res = app.post_json_api(url, payload) user_one.reload() assert res.status_code == 200 assert user_one.check_password('password2')