merenber
/
greenlight
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixed issue with account activation allowing it to be circumvented (#2324)

This commit is contained in:
Ahmad Farhat 2020-12-01 18:21:09 -05:00 committed by GitHub
parent 81907d0285
commit 95b86b167e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 12 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
app/controllers/account_activations_controller.rb
View File

@ -20,7 +20,8 @@ class AccountActivationsController < ApplicationController
include Emailer
before_action :ensure_unauthenticated
before_action :find_user
before_action :find_user_by_token, only: :edit
before_action :find_user_by_digest, only: :resend
# GET /account_activations
def show
@ -59,19 +60,17 @@ class AccountActivationsController < ApplicationController
private
def find_user
digest = if params[:token].present?
User.hash_token(params[:token])
elsif params[:digest].present?
params[:digest]
else
raise "Missing token/digest params"
end
def find_user_by_token
return redirect_to root_path, flash: { alert: I18n.t("verify.invalid") } unless params[:token].present?
@user = User.find_by!(activation_digest: digest, provider: @user_domain)
@user = User.find_by!(activation_digest: User.hash_token(params[:token]), provider: @user_domain)
end
def find_user_by_digest
@user = User.find_by!(activation_digest: params[:digest], provider: @user_domain)
end
def ensure_unauthenticated
redirect_to current_user.main_room if current_user
redirect_to current_user.main_room || root_path if current_user
end
end

4
spec/controllers/account_activations_controller_spec.rb
View File

@ -85,7 +85,7 @@ describe AccountActivationsController, type: :controller do
it "resends the email to the current user if the resend button is clicked" do
user = create(:user, email_verified: false, provider: "greenlight")
expect { get :resend, params: { token: user.create_activation_token } }
expect { get :resend, params: { digest: User.hash_token(user.create_activation_token) } }
.to change { ActionMailer::Base.deliveries.count }.by(1)
expect(flash[:success]).to be_present
expect(response).to redirect_to(root_path)
@ -94,7 +94,7 @@ describe AccountActivationsController, type: :controller do
it "redirects a verified user to the root path" do
user = create(:user, provider: "greenlight")
get :resend, params: { token: user.create_activation_token }
get :resend, params: { digest: User.hash_token(user.create_activation_token) }
expect(flash[:alert]).to be_present
expect(response).to redirect_to(root_path)