Merge branch 'master' into glitch-soc/merge-upstream

Conflicts: - app/controllers/application_controller.rb - app/controllers/auth/confirmations_controller.rb - app/controllers/auth/sessions_controller.rb - app/controllers/settings/deletes_controller.rb - app/controllers/settings/two_factor_authentication/recovery_codes_controller.rb
2019-07-23 10:17:06 +02:00
parent 6db5669818 ab3126e7a2
commit 444796b69b
76 changed files with 662 additions and 590 deletions
--- a/spec/controllers/api/base_controller_spec.rb
+++ b/spec/controllers/api/base_controller_spec.rb
@ -15,7 +15,7 @@ describe Api::BaseController do
    end
  end

-  describe 'Forgery protection' do
+  describe 'forgery protection' do
    before do
      routes.draw { post 'success' => 'api/base#success' }
    end
@ -27,7 +27,45 @@ describe Api::BaseController do
    end
  end

-  describe 'Error handling' do
+  describe 'non-functional accounts handling' do
+    let(:user)  { Fabricate(:user, account: Fabricate(:account, username: 'alice')) }
+    let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read') }
+
+    controller do
+      before_action :require_user!
+    end
+
+    before do
+      routes.draw { post 'success' => 'api/base#success' }
+      allow(controller).to receive(:doorkeeper_token) { token }
+    end
+
+    it 'returns http forbidden for unconfirmed accounts' do
+      user.update(confirmed_at: nil)
+      post 'success'
+      expect(response).to have_http_status(403)
+    end
+
+    it 'returns http forbidden for pending accounts' do
+      user.update(approved: false)
+      post 'success'
+      expect(response).to have_http_status(403)
+    end
+
+    it 'returns http forbidden for disabled accounts' do
+      user.update(disabled: true)
+      post 'success'
+      expect(response).to have_http_status(403)
+    end
+
+    it 'returns http forbidden for suspended accounts' do
+      user.account.suspend!
+      post 'success'
+      expect(response).to have_http_status(403)
+    end
+  end
+
+  describe 'error handling' do
    ERRORS_WITH_CODES = {
      ActiveRecord::RecordInvalid => 422,
      Mastodon::ValidationError => 422,
--- a/spec/controllers/application_controller_spec.rb
+++ b/spec/controllers/application_controller_spec.rb
@ -191,10 +191,10 @@ describe ApplicationController, type: :controller do
      expect(response).to have_http_status(200)
    end

-    it 'returns http 403 if user who signed in is suspended' do
+    it 'redirects to account status page' do
      sign_in(Fabricate(:user, account: Fabricate(:account, suspended: true)))
      get 'success'
-      expect(response).to have_http_status(403)
+      expect(response).to redirect_to(edit_user_registration_path)
    end
  end

--- a/spec/controllers/auth/confirmations_controller_spec.rb
+++ b/spec/controllers/auth/confirmations_controller_spec.rb
@ -50,45 +50,4 @@ describe Auth::ConfirmationsController, type: :controller do
      end
    end
  end
-
-  describe 'GET #finish_signup' do
-    subject { get :finish_signup }
-
-    let(:user) { Fabricate(:user) }
-    before do
-      sign_in user, scope: :user
-      @request.env['devise.mapping'] = Devise.mappings[:user]
-    end
-
-    it 'renders finish_signup' do
-      is_expected.to render_template :finish_signup
-      expect(assigns(:user)).to have_attributes id: user.id
-    end
-  end
-
-  describe 'PATCH #finish_signup' do
-    subject { patch :finish_signup, params: { user: { email: email } } }
-
-    let(:user) { Fabricate(:user) }
-    before do
-      sign_in user, scope: :user
-      @request.env['devise.mapping'] = Devise.mappings[:user]
-    end
-
-    context 'when email is valid' do
-      let(:email) { 'new_' + user.email }
-
-      it 'redirects to root_path' do
-        is_expected.to redirect_to root_path
-      end
-    end
-
-    context 'when email is invalid' do
-      let(:email) { '' }
-
-      it 'renders finish_signup' do
-        is_expected.to render_template :finish_signup
-      end
-    end
-  end
 end
--- a/spec/controllers/auth/registrations_controller_spec.rb
+++ b/spec/controllers/auth/registrations_controller_spec.rb
@ -46,6 +46,15 @@ RSpec.describe Auth::RegistrationsController, type: :controller do
      post :update
      expect(response).to have_http_status(200)
    end
+
+    context 'when suspended' do
+      it 'returns http forbidden' do
+        request.env["devise.mapping"] = Devise.mappings[:user]
+        sign_in(Fabricate(:user, account_attributes: { username: 'test', suspended_at: Time.now.utc }), scope: :user)
+        post :update
+        expect(response).to have_http_status(403)
+      end
+    end
  end

  describe 'GET #new' do
@ -94,9 +103,9 @@ RSpec.describe Auth::RegistrationsController, type: :controller do
        post :create, params: { user: { account_attributes: { username: 'test' }, email: 'test@example.com', password: '12345678', password_confirmation: '12345678' } }
      end

-      it 'redirects to login page' do
+      it 'redirects to setup' do
        subject
-        expect(response).to redirect_to new_user_session_path
+        expect(response).to redirect_to auth_setup_path
      end

      it 'creates user' do
@ -120,9 +129,9 @@ RSpec.describe Auth::RegistrationsController, type: :controller do
        post :create, params: { user: { account_attributes: { username: 'test' }, email: 'test@example.com', password: '12345678', password_confirmation: '12345678' } }
      end

-      it 'redirects to login page' do
+      it 'redirects to setup' do
        subject
-        expect(response).to redirect_to new_user_session_path
+        expect(response).to redirect_to auth_setup_path
      end

      it 'creates user' do
@ -148,9 +157,9 @@ RSpec.describe Auth::RegistrationsController, type: :controller do
        post :create, params: { user: { account_attributes: { username: 'test' }, email: 'test@example.com', password: '12345678', password_confirmation: '12345678', 'invite_code': invite.code } }
      end

-      it 'redirects to login page' do
+      it 'redirects to setup' do
        subject
-        expect(response).to redirect_to new_user_session_path
+        expect(response).to redirect_to auth_setup_path
      end

      it 'creates user' do
@ -176,9 +185,9 @@ RSpec.describe Auth::RegistrationsController, type: :controller do
        post :create, params: { user: { account_attributes: { username: 'test' }, email: 'test@example.com', password: '12345678', password_confirmation: '12345678', 'invite_code': invite.code } }
      end

-      it 'redirects to login page' do
+      it 'redirects to setup' do
        subject
-        expect(response).to redirect_to new_user_session_path
+        expect(response).to redirect_to auth_setup_path
      end

      it 'creates user' do
--- a/spec/controllers/auth/sessions_controller_spec.rb
+++ b/spec/controllers/auth/sessions_controller_spec.rb
@ -160,8 +160,8 @@ RSpec.describe Auth::SessionsController, type: :controller do
        let(:unconfirmed_user) { user.tap { |u| u.update!(confirmed_at: nil) } }
        let(:accept_language) { 'fr' }

-        it 'shows a translated login error' do
-          expect(flash[:alert]).to eq(I18n.t('devise.failure.unconfirmed', locale: accept_language))
+        it 'redirects to home' do
+          expect(response).to redirect_to(root_path)
        end
      end

--- a/spec/controllers/concerns/localized_spec.rb
+++ b/spec/controllers/concerns/localized_spec.rb
@ -7,16 +7,10 @@ describe ApplicationController, type: :controller do
    include Localized

    def success
-      head 200
+      render plain: I18n.locale, status: 200
    end
  end

-  around do |example|
-    current_locale = I18n.locale
-    example.run
-    I18n.locale = current_locale
-  end
-
  before do
    routes.draw { get 'success' => 'anonymous#success' }
  end
@ -25,19 +19,19 @@ describe ApplicationController, type: :controller do
    it 'sets available and preferred language' do
      request.headers['Accept-Language'] = 'ca-ES, fa'
      get 'success'
-      expect(I18n.locale).to eq :fa
+      expect(response.body).to eq 'fa'
    end

    it 'sets available and compatible language if none of available languages are preferred' do
      request.headers['Accept-Language'] = 'fa-IR'
      get 'success'
-      expect(I18n.locale).to eq :fa
+      expect(response.body).to eq 'fa'
    end

    it 'sets default locale if none of available languages are compatible' do
      request.headers['Accept-Language'] = ''
      get 'success'
-      expect(I18n.locale).to eq :en
+      expect(response.body).to eq 'en'
    end
  end

@ -48,7 +42,7 @@ describe ApplicationController, type: :controller do
      sign_in(user)
      get 'success'

-      expect(I18n.locale).to eq :ca
+      expect(response.body).to eq 'ca'
    end
  end

--- a/spec/controllers/settings/deletes_controller_spec.rb
+++ b/spec/controllers/settings/deletes_controller_spec.rb
@ -15,6 +15,15 @@ describe Settings::DeletesController do
        get :show
        expect(response).to have_http_status(200)
      end
+
+      context 'when suspended' do
+        let(:user) { Fabricate(:user, account_attributes: { username: 'alice', suspended_at: Time.now.utc }) }
+
+        it 'returns http forbidden' do
+          get :show
+          expect(response).to have_http_status(403)
+        end
+      end
    end

    context 'when not signed in' do
@ -49,6 +58,14 @@ describe Settings::DeletesController do
        it 'marks account as suspended' do
          expect(user.account.reload).to be_suspended
        end
+
+        context 'when suspended' do
+          let(:user) { Fabricate(:user, account_attributes: { username: 'alice', suspended_at: Time.now.utc }) }
+
+          it 'returns http forbidden' do
+            expect(response).to have_http_status(403)
+          end
+        end
      end

      context 'with incorrect password' do