Skip to content
Snippets Groups Projects
Unverified Commit 95b86b16 authored by Ahmad Farhat's avatar Ahmad Farhat Committed by GitHub
Browse files

Fixed issue with account activation allowing it to be circumvented (#2324)

parent 81907d02
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
app/controllers/account_activations_controller.rb
+ 10
11
View file @ 95b86b16
......@@ -20,7 +20,8 @@ class AccountActivationsController < ApplicationController
include Emailer
before_action :ensure_unauthenticated
before_action :find_user
before_action :find_user_by_token, only: :edit
before_action :find_user_by_digest, only: :resend
# GET /account_activations
def show
......@@ -59,19 +60,17 @@ class AccountActivationsController < ApplicationController
private
def find_user
digest = if params[:token].present?
User.hash_token(params[:token])
elsif params[:digest].present?
params[:digest]
else
raise "Missing token/digest params"
def find_user_by_token
return redirect_to root_path, flash: { alert: I18n.t("verify.invalid") } unless params[:token].present?
@user = User.find_by!(activation_digest: User.hash_token(params[:token]), provider: @user_domain)
end
@user = User.find_by!(activation_digest: digest, provider: @user_domain)
def find_user_by_digest
@user = User.find_by!(activation_digest: params[:digest], provider: @user_domain)
end
def ensure_unauthenticated
redirect_to current_user.main_room if current_user
redirect_to current_user.main_room || root_path if current_user
end
end
spec/controllers/account_activations_controller_spec.rb
+ 2
2
View file @ 95b86b16
......@@ -85,7 +85,7 @@ describe AccountActivationsController, type: :controller do
it "resends the email to the current user if the resend button is clicked" do
user = create(:user, email_verified: false, provider: "greenlight")
expect { get :resend, params: { token: user.create_activation_token } }
expect { get :resend, params: { digest: User.hash_token(user.create_activation_token) } }
.to change { ActionMailer::Base.deliveries.count }.by(1)
expect(flash[:success]).to be_present
expect(response).to redirect_to(root_path)
......@@ -94,7 +94,7 @@ describe AccountActivationsController, type: :controller do
it "redirects a verified user to the root path" do
user = create(:user, provider: "greenlight")
get :resend, params: { token: user.create_activation_token }
get :resend, params: { digest: User.hash_token(user.create_activation_token) }
expect(flash[:alert]).to be_present
expect(response).to redirect_to(root_path)
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment

Impressum Datenschutzerklärung