Skip to content

Commit

Permalink
Check that an invite link is valid before bypassing approval mode (ma…
Browse files Browse the repository at this point in the history
…stodon#10657)

* Check that an invite link is valid before bypassing approval mode

Fixes mastodon#10656

* Add tests

* Only consider valid invite links in registration controller

* fixup
  • Loading branch information
ClearlyClaire authored and Gargron committed May 2, 2019
1 parent 12e26de commit 143147b
Show file tree
Hide file tree
Showing 3 changed files with 86 additions and 2 deletions.
3 changes: 2 additions & 1 deletion app/controllers/auth/registrations_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,8 @@ def set_body_classes
end

def set_invite
@invite = invite_code.present? ? Invite.find_by(code: invite_code) : nil
invite = invite_code.present? ? Invite.find_by(code: invite_code) : nil
@invite = invite&.valid_for_use? ? invite : nil
end

def determine_layout
Expand Down
2 changes: 1 addition & 1 deletion app/models/user.rb
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@ def confirmed?
end

def invited?
invite_id.present?
invite_id.present? && invite.valid_for_use?
end

def disable!
Expand Down
83 changes: 83 additions & 0 deletions spec/controllers/auth/registrations_controller_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,89 @@
end
end

context 'approval-based registrations without invite' do
around do |example|
registrations_mode = Setting.registrations_mode
example.run
Setting.registrations_mode = registrations_mode
end

subject do
Setting.registrations_mode = 'approved'
request.headers["Accept-Language"] = accept_language
post :create, params: { user: { account_attributes: { username: 'test' }, email: 'test@example.com', password: '12345678', password_confirmation: '12345678' } }
end

it 'redirects to login page' do
subject
expect(response).to redirect_to new_user_session_path
end

it 'creates user' do
subject
user = User.find_by(email: 'test@example.com')
expect(user).to_not be_nil
expect(user.locale).to eq(accept_language)
expect(user.approved).to eq(false)
end
end

context 'approval-based registrations with expired invite' do
around do |example|
registrations_mode = Setting.registrations_mode
example.run
Setting.registrations_mode = registrations_mode
end

subject do
Setting.registrations_mode = 'approved'
request.headers["Accept-Language"] = accept_language
invite = Fabricate(:invite, max_uses: nil, expires_at: 1.hour.ago)
post :create, params: { user: { account_attributes: { username: 'test' }, email: 'test@example.com', password: '12345678', password_confirmation: '12345678', 'invite_code': invite.code } }
end

it 'redirects to login page' do
subject
expect(response).to redirect_to new_user_session_path
end

it 'creates user' do
subject
user = User.find_by(email: 'test@example.com')
expect(user).to_not be_nil
expect(user.locale).to eq(accept_language)
expect(user.approved).to eq(false)
end
end

context 'approval-based registrations with valid invite' do
around do |example|
registrations_mode = Setting.registrations_mode
example.run
Setting.registrations_mode = registrations_mode
end

subject do
Setting.registrations_mode = 'approved'
request.headers["Accept-Language"] = accept_language
invite = Fabricate(:invite, max_uses: nil, expires_at: 1.hour.from_now)
post :create, params: { user: { account_attributes: { username: 'test' }, email: 'test@example.com', password: '12345678', password_confirmation: '12345678', 'invite_code': invite.code } }
end

it 'redirects to login page' do
subject
expect(response).to redirect_to new_user_session_path
end

it 'creates user' do
subject
user = User.find_by(email: 'test@example.com')
expect(user).to_not be_nil
expect(user.locale).to eq(accept_language)
expect(user.approved).to eq(true)
end
end

it 'does nothing if user already exists' do
Fabricate(:user, account: Fabricate(:account, username: 'test'))
subject
Expand Down

0 comments on commit 143147b

Please sign in to comment.