WoTTsecurity · vpetersson · May 23, 2019 · May 22, 2019 · May 22, 2019 · May 22, 2019
diff --git a/backend/device_registry/templates/claim_device.html b/backend/device_registry/templates/claim_device.html
@@ -10,7 +10,12 @@ <h1 style="margin-bottom: 0">Claim Device</h1>
   <!-- claim_device.html -->
     {% if alert_style %}
     <div class="alert alert-{{ alert_style }} p-2" style="color: black" role="alert">
-      {{ alert_text }}
+      <style>
+        .claim-link {
+          color: white;
+        }
+      </style>
+      {{ alert_text|safe }}
     </div>
     {% endif %}
 

diff --git a/backend/device_registry/tests.py b/backend/device_registry/tests.py
@@ -419,12 +419,16 @@ def test_average_trust_score(self):
 class ClaimLinkTest(TestCase):
     def setUp(self):
         User = get_user_model()
+        self.url = reverse('claim-device')
+
         self.api = RequestFactory()
         self.device0 = Device.objects.create(
             device_id='device0.d.wott-dev.local',
             claim_token='token'
         )
         self.user0 = User.objects.create_user('test')
+        self.user0.set_password('123')
+        self.user0.save()
 
     def test_claim_get_view(self):
         request = self.api.get(
@@ -443,6 +447,22 @@ def test_claim_get_404(self):
         response = claim_by_link(request)
         self.assertEqual(response.status_code, 404)
 
+    def test_claim_post_invalid(self):
+        self.client.login(username='test', password='123')
+        form_data = {
+            'device_id': self.device0.device_id,
+            'claim_token': 'invalid'
+        }
+        response = self.client.post(self.url, form_data)
+        self.assertEqual(response.status_code, 200)
+        self.assertContains(response, 'Invalid claim/device id pair.')
+
+    def test_claim_get_invalid(self):
+        self.client.login(username='test', password='123')
+        response = self.client.get(f"{reverse('claim-device')}?device_id=invalid&claim_token=invalid")
+        self.assertEqual(response.status_code, 200)
+        self.assertContains(response, 'Invalid claim/device id pair.')
+
 
 class CertTest(TestCase):
     def setUp(self):

diff --git a/backend/device_registry/views.py b/backend/device_registry/views.py
@@ -44,25 +44,36 @@ def claim_device_view(request):
         form = ClaimDeviceForm(request.POST)
 
         if form.is_valid():
-            get_device = get_object_or_404(
-                Device,
-                device_id=form.cleaned_data['device_id']
-            )
-            if get_device.claimed:
-                text, style = 'Device has already been claimed.', 'warning'
-            elif not get_device.claim_token == form.cleaned_data['claim_token']:
+            try:
+                get_device = Device.objects.get(
+                    device_id=form.cleaned_data['device_id']
+                )
+                if get_device.claimed:
+                    text, style = 'Device has already been claimed.', 'warning'
+                elif not get_device.claim_token == form.cleaned_data['claim_token']:
+                    text, style = 'Invalid claim/device id pair.', 'warning'
+                else:
+                    get_device.owner = request.user
+                    get_device.save()
+                    text, style = f'Successfully claimed &nbsp;<a class="claim-link" href="{reverse("device-detail-security", kwargs={"pk": get_device.pk})}">' \
+                                      f'{format(form.cleaned_data["device_id"])}</a>.', \
+                                  'success'
+            except Device.DoesNotExist:
                 text, style = 'Invalid claim/device id pair.', 'warning'
-            else:
-                get_device.owner = request.user
-                get_device.save()
-                text, style = 'Successfully claimed {}.'.format(form.cleaned_data['device_id']), 'success'
 
     # GET with claim_token and device_id set will fill the form.
     # Empty GET or any other request will generate empty form.
     if request.method == 'GET' and \
         'claim_token' in request.GET and \
             'device_id' in request.GET:
-        form = ClaimDeviceForm(request.GET)
+        try:
+            Device.objects.get(
+                device_id=request.GET['device_id']
+            )
+            form = ClaimDeviceForm(request.GET)
+        except Device.DoesNotExist:
+            text, style = 'Invalid claim/device id pair.', 'warning'
+            form = ClaimDeviceForm()
     else:
         form = ClaimDeviceForm()