Merge pull request #91 from mgorny/ensure-credentials-cleaned_up-on-exception

Ensure credentials cleaned up on exception

2 files changed, 12 insertions, 1 deletions

diff --git a/okupy/common/ldap_helpers.py b/okupy/common/ldap_helpers.py
index 5b3e76a..43f3e3e 100644
--- a/okupy/common/ldap_helpers.py
+++ b/okupy/common/ldap_helpers.py
@@ -29,7 +29,11 @@ def get_bound_ldapuser(request, password=None):
         username=username,
         password=password,
     )
-    return bound_cls.objects.get(username=username)
+    try:
+        return bound_cls.objects.get(username=username)
+    except Exception as e:
+        bound_cls.restore_alias()
+        raise e
 
 
 def set_secondary_password(request, password):
diff --git a/okupy/tests/unit/test_ldapuser.py b/okupy/tests/unit/test_ldapuser.py
index 410e9f1..85097aa 100644
--- a/okupy/tests/unit/test_ldapuser.py
+++ b/okupy/tests/unit/test_ldapuser.py
@@ -90,6 +90,13 @@ class LDAPUserUnitTests(TestCase):
         self.assertRaises(ldap.INVALID_CREDENTIALS, get_bound_ldapuser,
                           request, 'test')
 
+    def test_get_bound_ldapuser_invalid_password_cleans_up_settings(self):
+        request = set_request('/', user=vars.USER_ALICE)
+        self.assertRaises(ldap.INVALID_CREDENTIALS, get_bound_ldapuser,
+                          request, 'test')
+        db_alias = 'ldap_%s' % request.session.cache_key
+        self.assertNotIn(db_alias, settings.DATABASES)
+
     def test_get_bound_ldapuser_context_manager_cleans_up_settings(self):
         secondary_password = Random.get_random_bytes(48)
         secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode(