]> git.openstreetmap.org Git - rails.git/commitdiff
Don't allow deleted users to be confirmed
authorTom Hughes <tom@compton.nu>
Thu, 1 Apr 2021 16:23:43 +0000 (17:23 +0100)
committerTom Hughes <tom@compton.nu>
Thu, 1 Apr 2021 16:28:03 +0000 (17:28 +0100)
app/controllers/users_controller.rb
test/controllers/users_controller_test.rb

index ca3726210040b54d0423faed59a21c7a38749641..e389f6fbf1a7cfd4f9f3763a7f712d13ebe136ea 100644 (file)
@@ -280,6 +280,8 @@ class UsersController < ApplicationController
       elsif !token || token.expired?
         flash[:error] = t("users.confirm.unknown token")
         redirect_to :action => "confirm"
       elsif !token || token.expired?
         flash[:error] = t("users.confirm.unknown token")
         redirect_to :action => "confirm"
+      elsif !token.user.visible?
+        render_unknown_user token.user.display_name
       else
         user = token.user
         user.status = "active"
       else
         user = token.user
         user.status = "active"
@@ -309,14 +311,14 @@ class UsersController < ApplicationController
         end
       end
     else
         end
       end
     else
-      user = User.find_by(:display_name => params[:display_name])
+      user = User.visible.find_by(:display_name => params[:display_name])
 
       redirect_to root_path if user.nil? || user.active?
     end
   end
 
   def confirm_resend
 
       redirect_to root_path if user.nil? || user.active?
     end
   end
 
   def confirm_resend
-    user = User.find_by(:display_name => params[:display_name])
+    user = User.visible.find_by(:display_name => params[:display_name])
     token = UserToken.find_by(:token => session[:token])
 
     if user.nil? || token.nil? || token.user != user
     token = UserToken.find_by(:token => session[:token])
 
     if user.nil? || token.nil? || token.user != user
index 6cefcaa93b47ef052184637e3d13e3f757eca52e..d5b915a85fc1c1f360f2d81e9cdaeb67f68d68f5 100644 (file)
@@ -523,6 +523,26 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     assert_match(/already been confirmed/, flash[:error])
   end
 
     assert_match(/already been confirmed/, flash[:error])
   end
 
+  def test_confirm_deleted
+    user = build(:user, :pending)
+    stub_gravatar_request(user.email)
+    post user_new_path, :params => { :user => user.attributes }
+    post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
+    confirm_string = User.find_by(:email => user.email).tokens.create.token
+
+    User.find_by(:display_name => user.display_name).update(:status => "deleted")
+
+    # Get the confirmation page
+    get user_confirm_path, :params => { :display_name => user.display_name, :confirm_string => confirm_string }
+    assert_response :redirect
+    assert_redirected_to root_path
+
+    # Confirm the user
+    post user_confirm_path, :params => { :display_name => user.display_name, :confirm_string => confirm_string }
+    assert_response :not_found
+    assert_template :no_such_user
+  end
+
   def test_confirm_resend_success
     user = build(:user, :pending)
     post user_new_path, :params => { :user => user.attributes }
   def test_confirm_resend_success
     user = build(:user, :pending)
     post user_new_path, :params => { :user => user.attributes }
@@ -561,6 +581,24 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     assert_match "User #{user.display_name} not found.", flash[:error]
   end
 
     assert_match "User #{user.display_name} not found.", flash[:error]
   end
 
+  def test_confirm_resend_deleted
+    user = build(:user, :pending)
+    post user_new_path, :params => { :user => user.attributes }
+    post user_save_path, :params => { :read_ct => 1, :read_tou => 1 }
+
+    User.find_by(:display_name => user.display_name).update(:status => "deleted")
+
+    assert_no_difference "ActionMailer::Base.deliveries.size" do
+      perform_enqueued_jobs do
+        get user_confirm_resend_path(user)
+      end
+    end
+
+    assert_response :redirect
+    assert_redirected_to login_path
+    assert_match "User #{user.display_name} not found.", flash[:error]
+  end
+
   def test_confirm_resend_unknown_user
     assert_no_difference "ActionMailer::Base.deliveries.size" do
       perform_enqueued_jobs do
   def test_confirm_resend_unknown_user
     assert_no_difference "ActionMailer::Base.deliveries.size" do
       perform_enqueued_jobs do