lino.jorzick
/
greenlight
forked from External/greenlight
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixed issue with account activation allowing it to be circumvented (#2324)

This commit is contained in:
Ahmad Farhat 2020-12-01 18:21:09 -05:00 committed by GitHub
parent 81907d0285
commit 95b86b167e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 12 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
app/controllers/account_activations_controller.rb
View File

@ -20,7 +20,8 @@ class AccountActivationsController < ApplicationController
include Emailer include Emailer
before_action :ensure_unauthenticated before_action :ensure_unauthenticated
before_action :find_user before_action :find_user_by_token, only: :edit
before_action :find_user_by_digest, only: :resend
# GET /account_activations # GET /account_activations
def show def show
@ -59,19 +60,17 @@ class AccountActivationsController < ApplicationController
private private
def find_user def find_user_by_token
digest = if params[:token].present? return redirect_to root_path, flash: { alert: I18n.t("verify.invalid") } unless params[:token].present?
User.hash_token(params[:token])
elsif params[:digest].present?
params[:digest]
else
raise "Missing token/digest params"
end
@user = User.find_by!(activation_digest: digest, provider: @user_domain) @user = User.find_by!(activation_digest: User.hash_token(params[:token]), provider: @user_domain)
end
def find_user_by_digest
@user = User.find_by!(activation_digest: params[:digest], provider: @user_domain)
end end
def ensure_unauthenticated def ensure_unauthenticated
redirect_to current_user.main_room if current_user redirect_to current_user.main_room || root_path if current_user
end end
end end

4
spec/controllers/account_activations_controller_spec.rb
View File

@ -85,7 +85,7 @@ describe AccountActivationsController, type: :controller do
it "resends the email to the current user if the resend button is clicked" do it "resends the email to the current user if the resend button is clicked" do
user = create(:user, email_verified: false, provider: "greenlight") user = create(:user, email_verified: false, provider: "greenlight")
expect { get :resend, params: { token: user.create_activation_token } } expect { get :resend, params: { digest: User.hash_token(user.create_activation_token) } }
.to change { ActionMailer::Base.deliveries.count }.by(1) .to change { ActionMailer::Base.deliveries.count }.by(1)
expect(flash[:success]).to be_present expect(flash[:success]).to be_present
expect(response).to redirect_to(root_path) expect(response).to redirect_to(root_path)
@ -94,7 +94,7 @@ describe AccountActivationsController, type: :controller do
it "redirects a verified user to the root path" do it "redirects a verified user to the root path" do
user = create(:user, provider: "greenlight") user = create(:user, provider: "greenlight")
get :resend, params: { token: user.create_activation_token } get :resend, params: { digest: User.hash_token(user.create_activation_token) }
expect(flash[:alert]).to be_present expect(flash[:alert]).to be_present
expect(response).to redirect_to(root_path) expect(response).to redirect_to(root_path)