## cut off limit for large diffs (size in bytes)

cut_off_limit = 256000

## force https in Kallithea, fixes https redirects, assumes it's always https

force_https = false

## use Strict-Transport-Security headers

use_htsts = false

## number of commits stats will parse on each iteration

commit_parse_limit = 25

## Path to Python executable to be used for git hooks.

## This value will be written inside the git hook scripts as the text

## after '#!' (shebang). When empty or not defined, the value of

## 'sys.executable' at the time of installation of the git hooks is

## used, which is correct in many cases but for example not when using uwsgi.

## If you change this setting, you should reinstall the Git hooks via

## Admin > Settings > Remap and Rescan.

# git_hook_interpreter = /srv/kallithea/venv/bin/python2

## path to git executable

git_path = git

## git rev filter option, --all is the default filter, if you need to

## hide all refs in changelog switch this to --branches --tags

#git_rev_filter = --branches --tags

## RSS feed options

rss_cut_off_limit = 256000

rss_items_per_page = 10

rss_include_diff = false

## options for showing and identifying changesets

show_sha_length = 12

show_revision_number = false

## Canonical URL to use when creating full URLs in UI and texts.

## Useful when the site is available under different names or protocols.

## Defaults to what is provided in the WSGI environment.

#canonical_url = https://kallithea.example.com/repos

## gist URL alias, used to create nicer urls for gist. This should be an

## url that does rewrites to _admin/gists/<gistid>.

## example: http://gist.example.com/{gistid}. Empty means use the internal

## Kallithea url, ie. http[s]://kallithea.example.com/_admin/gists/<gistid>

gist_alias_url =

## default encoding used to convert from and to unicode

## can be also a comma separated list of encoding in case of mixed encodings

default_encoding = utf-8

## Set Mercurial encoding, similar to setting HGENCODING before launching Kallithea

hgencoding = utf-8

## issue tracker for Kallithea (leave blank to disable, absent for default)

#bugtracker = https://bitbucket.org/conservancy/kallithea/issues

## issue tracking mapping for commit messages, comments, PR descriptions, ...

## Refer to the documentation ("Integration with issue trackers") for more details.

## regular expression to match issue references

## This pattern may/should contain parenthesized groups, that can

## be referred to in issue_server_link or issue_sub using Python backreferences

## (e.g. \1, \2, ...). You can also create named groups with '(?P<groupname>)'.

## To require mandatory whitespace before the issue pattern, use:

## (?:^|(?<=\s)) before the actual pattern, and for mandatory whitespace

## behind the issue pattern, use (?:$|(?=\s)) after the actual pattern.

issue_pat = #(\d+)

## server url to the issue

## This pattern may/should contain backreferences to parenthesized groups in issue_pat.

## A backreference can be \1, \2, ... or \g<groupname> if you specified a named group

## called 'groupname' in issue_pat.

## The special token {repo} is replaced with the full repository name

## including repository groups, while {repo_name} is replaced with just

## the name of the repository.

issue_server_link = https://issues.example.com/{repo}/issue/\1

## substitution pattern to use as the link text

## If issue_sub is empty, the text matched by issue_pat is retained verbatim

## for the link text. Otherwise, the link text is that of issue_sub, with any

## backreferences to groups in issue_pat replaced.

issue_sub =

## issue_pat, issue_server_link and issue_sub can have suffixes to specify

## multiple patterns, to other issues server, wiki or others

## below an example how to create a wiki pattern

# wiki-some-id -> https://wiki.example.com/some-id

#issue_pat_wiki = wiki-(\S+)

#issue_server_link_wiki = https://wiki.example.com/\1

#issue_sub_wiki = WIKI-\1

            "comment_id": "<comment_id>",

          },

          ...

        ],

        "owner": "<username>",

        "statuses": [

          {

            "status": "<status_of_review>",        # "under_review", "approved" or "rejected"

            "reviewer": "<user_name>",

            "modified_at": "<date_time_of_review>" # iso 8601 date, server's timezone

          },

          ...

        ],

        "revisions": [

          "<raw_id>",

          ...

        ]

    },

    error:  null

comment_pullrequest

^^^^^^^^^^^^^^^^^^^

Add comment, change status or close a given pull request. This command can only be executed

using the api_key of a user with read permissions to the original repository.

INPUT::

    id : <id_for_response>

    api_key : "<api_key>"

    method  : "comment_pullrequest"

    args:     {

                "pull_request_id":  "<pull_request_id>",

                "comment_msg":      Optional(''),

                "status":           Optional(None),     # "under_review", "approved" or "rejected"

                "close_pr":         Optional(False)",

              }

OUTPUT::

    id : <id_given_in_input>

    result: True

    error:  null

API access for web views

------------------------

    Authentication: Bearer <api_key>

Alternatively, the API key can be passed in the URL query string using

``?api_key=<api_key>``, though this is not recommended due to the increased

risk of API key leaks, and support will likely be removed in the future.

Exposing raw diffs is a good way to integrate with

third-party services like code review, or build farms that can download archives.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

"""

kallithea.controllers.feed

~~~~~~~~~~~~~~~~~~~~~~~~~~

Feed controller for Kallithea

This file was forked by the Kallithea project in July 2014.

Original author and date, and relevant copyright and licensing information is below:

:created_on: Apr 23, 2010

:author: marcink

:copyright: (c) 2013 RhodeCode GmbH, and others.

:license: GPLv3, see LICENSE.md for more details.

"""

import logging

from tg import response, tmpl_context as c

from tg.i18n import ugettext as _

from beaker.cache import cache_region, region_invalidate

from webhelpers.feedgenerator import Atom1Feed, Rss201rev2Feed

from kallithea import CONFIG

from kallithea.lib import helpers as h

from kallithea.lib.auth import LoginRequired, HasRepoPermissionLevelDecorator

from kallithea.lib.base import BaseRepoController

from kallithea.lib.diffs import DiffProcessor

from kallithea.model.db import CacheInvalidation

from kallithea.lib.utils2 import safe_int, str2bool, safe_unicode

log = logging.getLogger(__name__)

language = 'en-us'

ttl = "5"

class FeedController(BaseRepoController):

    @HasRepoPermissionLevelDecorator('read')

    def _before(self, *args, **kwargs):

        super(FeedController, self)._before(*args, **kwargs)

    def _get_title(self, cs):

        return h.shorter(cs.message, 160)

    def __get_desc(self, cs):

        desc_msg = [(_('%s committed on %s')

                     % (h.person(cs.author), h.fmt_date(cs.date))) + '<br/>']

        # branches, tags, bookmarks

        for branch in cs.branches:

            desc_msg.append('branch: %s<br/>' % branch)

        for book in cs.bookmarks:

            desc_msg.append('bookmark: %s<br/>' % book)

        for tag in cs.tags:

            desc_msg.append('tag: %s<br/>' % tag)

        changes = []

        diff_limit = safe_int(CONFIG.get('rss_cut_off_limit', 32 * 1024))

        raw_diff = cs.diff()

        diff_processor = DiffProcessor(raw_diff,

                                       diff_limit=diff_limit,

                                       inline_diff=False)

        for st in diff_processor.parsed:

            st.update({'added': st['stats']['added'],

                       'removed': st['stats']['deleted']})

            changes.append('\n %(operation)s %(filename)s '

                           '(%(added)s lines added, %(removed)s lines removed)'

                            % st)

        if diff_processor.limited_diff:

            changes = changes + ['\n ' +

                                 _('Changeset was too big and was cut off...')]

        # rev link

        _url = h.canonical_url('changeset_home', repo_name=c.db_repo.repo_name,

                   revision=cs.raw_id)

        desc_msg.append('changeset: <a href="%s">%s</a>' % (_url, cs.raw_id[:8]))

        desc_msg.append('<pre>')

        desc_msg.append(h.urlify_text(cs.message))

        desc_msg.append('\n')

        desc_msg.extend(changes)

        if str2bool(CONFIG.get('rss_include_diff', False)):

            desc_msg.append('\n\n')

            desc_msg.append(raw_diff)

        desc_msg.append('</pre>')

            title = "%s - %s %s" % (user.short_contact, action(),

                                    entry.repository.repo_name)

            desc = action_extra()

            _url = None

            if entry.repository is not None:

                _url = h.canonical_url('changelog_home',

                           repo_name=entry.repository.repo_name)

            feed.add_item(title=title,

                          pubdate=entry.action_date,

                          link=_url or h.canonical_url(''),

                          author_email=user.email,

                          author_name=user.full_contact,

                          description=desc)

        response.content_type = feed.mime_type

        return feed.writeString('utf-8')

    @LoginRequired()

    def index(self):

        # Return a rendered template

        p = safe_int(request.GET.get('page'), 1)

        c.user = User.get(request.authuser.user_id)

        c.following = UserFollowing.query() \

            .filter(UserFollowing.user_id == request.authuser.user_id) \

            .options(joinedload(UserFollowing.follows_repository)) \

            .all()

        journal = self._get_journal_data(c.following)

        def url_generator(**kw):

            return url.current(filter=c.search_term, **kw)

        c.journal_pager = Page(journal, page=p, items_per_page=20, url=url_generator)

        c.journal_day_aggregate = self._get_daily_aggregate(c.journal_pager)

        if request.environ.get('HTTP_X_PARTIAL_XHR'):

            return render('journal/journal_data.html')

        repos_list = Repository.query(sorted=True) \

            .filter_by(owner_id=request.authuser.user_id).all()

        repos_data = RepoModel().get_repos_as_dict(repos_list, admin=True)

        # data used to render the grid

        c.data = repos_data

        return render('journal/journal.html')

    def journal_atom(self):

        """

        Produce an atom-1.0 feed via feedgenerator module

        """

        following = UserFollowing.query() \

            .filter(UserFollowing.user_id == request.authuser.user_id) \

            .options(joinedload(UserFollowing.follows_repository)) \

            .all()

        return self._atom_feed(following, public=False)

    def journal_rss(self):

        """

        Produce an rss feed via feedgenerator module

        """

        following = UserFollowing.query() \

            .filter(UserFollowing.user_id == request.authuser.user_id) \

            .options(joinedload(UserFollowing.follows_repository)) \

            .all()

        return self._rss_feed(following, public=False)

    @LoginRequired()

    def toggle_following(self):

        user_id = request.POST.get('follows_user_id')

        if user_id:

            try:

                self.scm_model.toggle_following_user(user_id,

                                            request.authuser.user_id)

                Session().commit()

                return 'ok'

            except Exception:

                log.error(traceback.format_exc())

                raise HTTPBadRequest()

        repo_id = request.POST.get('follows_repository_id')

        if repo_id:

            try:

                self.scm_model.toggle_following_repo(repo_id,

                                            request.authuser.user_id)

                Session().commit()

                return 'ok'

            except Exception:

                log.error(traceback.format_exc())

                raise HTTPBadRequest()

        raise HTTPBadRequest()

    @LoginRequired(allow_default_user=True)

    def public_journal(self):

        # Return a rendered template

        p = safe_int(request.GET.get('page'), 1)

        c.following = UserFollowing.query() \

            .filter(UserFollowing.user_id == request.authuser.user_id) \

            .options(joinedload(UserFollowing.follows_repository)) \

            .all()

        journal = self._get_journal_data(c.following)

        c.journal_pager = Page(journal, page=p, items_per_page=20)

        c.journal_day_aggregate = self._get_daily_aggregate(c.journal_pager)

        if request.environ.get('HTTP_X_PARTIAL_XHR'):

            return render('journal/journal_data.html')

        return render('journal/public_journal.html')

    def public_journal_atom(self):

        """

        Produce an atom-1.0 feed via feedgenerator module

        """

        c.following = UserFollowing.query() \

            .filter(UserFollowing.user_id == request.authuser.user_id) \

            .options(joinedload(UserFollowing.follows_repository)) \

            .all()

        return self._atom_feed(c.following)

    def public_journal_rss(self):

        """

        Produce an rss2 feed via feedgenerator module

        """

        c.following = UserFollowing.query() \

            .filter(UserFollowing.user_id == request.authuser.user_id) \

            .options(joinedload(UserFollowing.follows_repository)) \

            .all()

        return self._rss_feed(c.following)

     .filter(UserGroupMember.user_id == user_id) \

     .all()

    for perm in user_repo_group_perms_from_users_groups:

        bump_permission(GK,

            perm.UserGroupRepoGroupToPerm.group.group_name,

            perm.Permission.permission_name)

    # user explicit permissions for repository groups

    user_repo_groups_perms = Permission.get_default_group_perms(user_id)

    for perm in user_repo_groups_perms:

        bump_permission(GK,

            perm.UserRepoGroupToPerm.group.group_name,

            perm.Permission.permission_name)

    #======================================================================

    # !! PERMISSIONS FOR USER GROUPS !!

    #======================================================================

    # user group for user group permissions

    user_group_user_groups_perms = \

     Session().query(UserGroupUserGroupToPerm, Permission, UserGroup) \

     .join((UserGroup, UserGroupUserGroupToPerm.target_user_group_id

            == UserGroup.users_group_id)) \

     .join((Permission, UserGroupUserGroupToPerm.permission_id

            == Permission.permission_id)) \

     .join((UserGroupMember, UserGroupUserGroupToPerm.user_group_id

            == UserGroupMember.users_group_id)) \

     .filter(UserGroupMember.user_id == user_id) \

     .join((UserGroup, UserGroupMember.users_group_id ==

            UserGroup.users_group_id), aliased=True, from_joinpoint=True) \

     .filter(UserGroup.users_group_active == True) \

     .all()

    for perm in user_group_user_groups_perms:

        bump_permission(UK,

            perm.UserGroupUserGroupToPerm.target_user_group.users_group_name,

            perm.Permission.permission_name)

    # user explicit permission for user groups

    user_user_groups_perms = Permission.get_default_user_group_perms(user_id)

    for perm in user_user_groups_perms:

        bump_permission(UK,

            perm.UserUserGroupToPerm.user_group.users_group_name,

            perm.Permission.permission_name)

    return permissions

class AuthUser(object):

    """

    Represents a Kallithea user, including various authentication and

    authorization information. Typically used to store the current user,

    but is also used as a generic user information data structure in

    parts of the code, e.g. user management.

    Constructed from a database `User` object, a user ID or cookie dict,

    it looks up the user (if needed) and copies all attributes to itself,

    adding various non-persistent data. If lookup fails but anonymous

    access to Kallithea is enabled, the default user is loaded instead.

    `AuthUser` does not by itself authenticate users and the constructor

    sets the `is_authenticated` field to False. It's up to other parts

    of the code to check e.g. if a supplied password is correct, and if

    so, set `is_authenticated` to True.

    However, `AuthUser` does refuse to load a user that is not `active`.

    Note that Kallithea distinguishes between the default user (an actual

    user in the database with username "default") and "no user" (no actual

    User object, AuthUser filled with blank values and username "None").

    If the default user is active, that will always be used instead of

    "no user". On the other hand, if the default user is disabled (and

    there is no login information), we instead get "no user"; this should

    only happen on the login page (as all other requests are redirected).

    `is_default_user` specifically checks if the AuthUser is the user named

    "default". Use `is_anonymous` to check for both "default" and "no user".

    """

    def __init__(self, user_id=None, dbuser=None, authenticating_api_key=None,

            is_external_auth=False):

        self.is_authenticated = False

        self.is_external_auth = is_external_auth

        self.authenticating_api_key = authenticating_api_key

        # These attributes will be overridden by fill_data, below, unless the

        # requested user cannot be found and the default anonymous user is

        # not enabled.

        self.user_id = None

        self.username = None

        self.api_key = None

        self.name = ''

        self.lastname = ''

        self.email = ''

                # since we use heavy caching sometimes it happens that we get

                # deleted objects here, we just skip them

                pass

        return _set or set(['0.0.0.0/0', '::/0'])

def set_available_permissions(config):

    """

    This function will propagate globals with all available defined

    permission given in db. We don't want to check each time from db for new

    permissions since adding a new permission also requires application restart

    ie. to decorate new views with the newly created permission

    :param config: current config instance

    """

    log.info('getting information about all available permissions')

    try:

        all_perms = Session().query(Permission).all()

        config['available_permissions'] = [x.permission_name for x in all_perms]

    finally:

        Session.remove()

#==============================================================================

# CHECK DECORATORS

#==============================================================================

def _redirect_to_login(message=None):

    """Return an exception that must be raised. It will redirect to the login

    page which will redirect back to the current URL after authentication.

    The optional message will be shown in a flash message."""

    from kallithea.lib import helpers as h

    if message:

        h.flash(message, category='warning')

    p = request.path_qs

    log.debug('Redirecting to login page, origin: %s', p)

    return HTTPFound(location=url('login_home', came_from=p))

# Use as decorator

class LoginRequired(object):

    """Client must be logged in as a valid User, or we'll redirect to the login

    page.

    If the "default" user is enabled and allow_default_user is true, that is

    considered valid too.

    """

        self.allow_default_user = allow_default_user

    def __call__(self, func):

        return decorator(self.__wrapper, func)

    def __wrapper(self, func, *fargs, **fkwargs):

        controller = fargs[0]

        user = request.authuser

        loc = "%s:%s" % (controller.__class__.__name__, func.__name__)

        log.debug('Checking access for user %s @ %s', user, loc)

        # Check if we used an API key to authenticate.

            log.info('user %s authenticated with API key ****%s @ %s',

            return func(*fargs, **fkwargs)

        # CSRF protection: Whenever a request has ambient authority (whether

        # through a session cookie or its origin IP address), it must include

        # the correct token, unless the HTTP method is GET or HEAD (and thus

        # guaranteed to be side effect free. In practice, the only situation

        # where we allow side effects without ambient authority is when the

        # authority comes from an API key; and that is handled above.

        if request.method not in ['GET', 'HEAD']:

            token = request.POST.get(secure_form.token_key)

            if not token or token != secure_form.authentication_token():

                log.error('CSRF check failed')

                raise HTTPForbidden()

        # regular user authentication

        if user.is_authenticated:

            log.info('user %s authenticated with regular auth @ %s', user, loc)

            return func(*fargs, **fkwargs)

        elif user.is_default_user:

            if self.allow_default_user:

                log.info('default user @ %s', loc)

                return func(*fargs, **fkwargs)

            log.info('default user is not accepted here @ %s', loc)

        else:

            log.warning('user %s NOT authenticated with regular auth @ %s', user, loc)

        raise _redirect_to_login()

# Use as decorator

class NotAnonymous(object):

    """Ensures that client is not logged in as the "default" user, and

    redirects to the login page otherwise. Must be used together with

    LoginRequired."""

    def __call__(self, func):

        return decorator(self.__wrapper, func)

    def __wrapper(self, func, *fargs, **fkwargs):

        cls = fargs[0]

        user = request.authuser

        log.debug('Checking that user %s is not anonymous @%s', user.username, cls)

        if user.is_default_user:

            raise _redirect_to_login(_('You need to be a registered user to '

                                       'perform this action'))

        else:

            return func(*fargs, **fkwargs)

<%text>## force https in Kallithea, fixes https redirects, assumes it's always https</%text>

force_https = false

<%text>## use Strict-Transport-Security headers</%text>

use_htsts = false

<%text>## number of commits stats will parse on each iteration</%text>

commit_parse_limit = 25

<%text>## Path to Python executable to be used for git hooks.</%text>

<%text>## This value will be written inside the git hook scripts as the text</%text>

<%text>## after '#!' (shebang). When empty or not defined, the value of</%text>

<%text>## 'sys.executable' at the time of installation of the git hooks is</%text>

<%text>## used, which is correct in many cases but for example not when using uwsgi.</%text>

<%text>## If you change this setting, you should reinstall the Git hooks via</%text>

<%text>## Admin > Settings > Remap and Rescan.</%text>

# git_hook_interpreter = /srv/kallithea/venv/bin/python2

%if git_hook_interpreter:

git_hook_interpreter = ${git_hook_interpreter}

%endif

<%text>## path to git executable</%text>

git_path = git

<%text>## git rev filter option, --all is the default filter, if you need to</%text>

<%text>## hide all refs in changelog switch this to --branches --tags</%text>

#git_rev_filter = --branches --tags

<%text>## RSS feed options</%text>

rss_cut_off_limit = 256000

rss_items_per_page = 10

rss_include_diff = false

<%text>## options for showing and identifying changesets</%text>

show_sha_length = 12

show_revision_number = false

<%text>## Canonical URL to use when creating full URLs in UI and texts.</%text>

<%text>## Useful when the site is available under different names or protocols.</%text>

<%text>## Defaults to what is provided in the WSGI environment.</%text>

#canonical_url = https://kallithea.example.com/repos

<%text>## gist URL alias, used to create nicer urls for gist. This should be an</%text>

<%text>## url that does rewrites to _admin/gists/<gistid>.</%text>

<%text>## example: http://gist.example.com/{gistid}. Empty means use the internal</%text>

<%text>## Kallithea url, ie. http[s]://kallithea.example.com/_admin/gists/<gistid></%text>

gist_alias_url =

<%text>## default encoding used to convert from and to unicode</%text>

<%text>## can be also a comma separated list of encoding in case of mixed encodings</%text>

default_encoding = utf-8

<%text>## Set Mercurial encoding, similar to setting HGENCODING before launching Kallithea</%text>

hgencoding = utf-8

<%text>## issue tracker for Kallithea (leave blank to disable, absent for default)</%text>

#bugtracker = https://bitbucket.org/conservancy/kallithea/issues

<%text>## issue tracking mapping for commit messages, comments, PR descriptions, ...</%text>

<%text>## Refer to the documentation ("Integration with issue trackers") for more details.</%text>

<%text>## regular expression to match issue references</%text>

<%text>## This pattern may/should contain parenthesized groups, that can</%text>

<%text>## be referred to in issue_server_link or issue_sub using Python backreferences</%text>

<%text>## (e.g. \1, \2, ...). You can also create named groups with '(?P<groupname>)'.</%text>

<%text>## To require mandatory whitespace before the issue pattern, use:</%text>

<%text>## (?:^|(?<=\s)) before the actual pattern, and for mandatory whitespace</%text>

<%text>## behind the issue pattern, use (?:$|(?=\s)) after the actual pattern.</%text>

issue_pat = #(\d+)

<%text>## server url to the issue</%text>

<%text>## This pattern may/should contain backreferences to parenthesized groups in issue_pat.</%text>

<%text>## A backreference can be \1, \2, ... or \g<groupname> if you specified a named group</%text>

<%text>## called 'groupname' in issue_pat.</%text>

<%text>## The special token {repo} is replaced with the full repository name</%text>

<%text>## including repository groups, while {repo_name} is replaced with just</%text>

<%text>## the name of the repository.</%text>

issue_server_link = https://issues.example.com/{repo}/issue/\1

<%text>## substitution pattern to use as the link text</%text>

<%text>## If issue_sub is empty, the text matched by issue_pat is retained verbatim</%text>

<%text>## for the link text. Otherwise, the link text is that of issue_sub, with any</%text>

<%text>## backreferences to groups in issue_pat replaced.</%text>

issue_sub =

<%text>## issue_pat, issue_server_link and issue_sub can have suffixes to specify</%text>

<%text>## multiple patterns, to other issues server, wiki or others</%text>

<%text>## below an example how to create a wiki pattern</%text>

# wiki-some-id -> https://wiki.example.com/some-id

#issue_pat_wiki = wiki-(\S+)

#issue_server_link_wiki = https://wiki.example.com/\1

#issue_sub_wiki = WIKI-\1

        # BAD TOKEN

        token = "bad"

        response = self.app.post(url(controller='login',

                                     action='password_reset_confirmation'),

                                 {'email': email,

                                  'timestamp': timestamp,

                                  'password': "p@ssw0rd",

                                  'password_confirm': "p@ssw0rd",

                                  'token': token,

                                 })

        assert response.status == '200 OK'

        response.mustcontain('Invalid password reset token')

        # GOOD TOKEN

        # TODO: The token should ideally be taken from the mail sent

        # above, instead of being recalculated.

        token = UserModel().get_reset_password_token(

            User.get_by_username(username), timestamp, self.authentication_token())

        response = self.app.get(url(controller='login',

                                    action='password_reset_confirmation',

                                    email=email,

                                    timestamp=timestamp,

                                    token=token))

        assert response.status == '200 OK'

        response.mustcontain("You are about to set a new password for the email address %s" % email)

        response = self.app.post(url(controller='login',

                                     action='password_reset_confirmation'),

                                 {'email': email,

                                  'timestamp': timestamp,

                                  'password': "p@ssw0rd",

                                  'password_confirm': "p@ssw0rd",

                                  'token': token,

                                 })

        assert response.status == '302 Found'

        self.checkSessionFlash(response, 'Successfully updated password')

        response = response.follow()

    #==========================================================================

    # API

    #==========================================================================

    def _api_key_test(self, api_key, status):

        """Verifies HTTP status code for accessing an auth-requiring page,

        using the given api_key URL parameter as well as using the API key

        with bearer authentication.

        If api_key is None, no api_key is passed at all. If api_key is True,

        a real, working API key is used.

        """

        with fixture.anon_access(False):

            if api_key is None:

                params = {}

                headers = {}

            else: