SECURITY: Confirm new administrator accounts via email

2025-05-22 04:31:10 +08:00 · 2017-04-04 13:59:22 -04:00
parent a649014adf
commit 17f2974d0a
13 changed files with 293 additions and 20 deletions
--- a/spec/controllers/admin/users_controller_spec.rb
+++ b/spec/controllers/admin/users_controller_spec.rb
@ -166,9 +166,9 @@ describe Admin::UsersController do
      end

      it 'updates the admin flag' do
+        expect(AdminConfirmation.exists_for?(@another_user.id)).to eq(false)
        xhr :put, :grant_admin, user_id: @another_user.id
-        @another_user.reload
-        expect(@another_user).to be_admin
+        expect(AdminConfirmation.exists_for?(@another_user.id)).to eq(true)
      end
    end

@ -491,7 +491,14 @@ describe Admin::UsersController do
    end

    context ".invite_admin" do
+      it "doesn't work when not via API" do
+        controller.stubs(:is_api?).returns(false)
+        xhr :post, :invite_admin, name: 'Bill', username: 'bill22', email: 'bill@bill.com'
+        expect(response).not_to be_success
+      end
+
      it 'should invite admin' do
+        controller.stubs(:is_api?).returns(true)
        Jobs.expects(:enqueue).with(:critical_user_email, anything).returns(true)
        xhr :post, :invite_admin, name: 'Bill', username: 'bill22', email: 'bill@bill.com'
        expect(response).to be_success
@ -503,6 +510,7 @@ describe Admin::UsersController do
      end

      it "doesn't send the email with send_email falsy" do
+        controller.stubs(:is_api?).returns(true)
        Jobs.expects(:enqueue).with(:user_email, anything).never
        xhr :post, :invite_admin, name: 'Bill', username: 'bill22', email: 'bill@bill.com', send_email: '0'
        expect(response).to be_success
--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@ -1807,4 +1807,69 @@ describe UsersController do
    end
  end

+
+  describe ".confirm_admin" do
+    it "fails without a valid token" do
+      expect {
+        get :confirm_admin, token: 'invalid-token'
+      }.to raise_error(ActionController::UrlGenerationError)
+    end
+
+    it "fails with a missing token" do
+      get :confirm_admin, token: 'a0a0a0a0a0'
+      expect(response).to_not be_success
+    end
+
+    it "succeeds with a valid code as anonymous" do
+      user = Fabricate(:user)
+      ac = AdminConfirmation.new(user, Fabricate(:admin))
+      ac.create_confirmation
+      get :confirm_admin, token: ac.token
+      expect(response).to be_success
+
+      user.reload
+      expect(user.admin?).to eq(false)
+    end
+
+    it "succeeds with a valid code when logged in as that user" do
+      admin = log_in(:admin)
+      user = Fabricate(:user)
+
+      ac = AdminConfirmation.new(user, admin)
+      ac.create_confirmation
+      get :confirm_admin, token: ac.token
+      expect(response).to be_success
+
+      user.reload
+      expect(user.admin?).to eq(false)
+    end
+
+    it "fails if you're logged in as a different account" do
+      log_in(:admin)
+      user = Fabricate(:user)
+
+      ac = AdminConfirmation.new(user, Fabricate(:admin))
+      ac.create_confirmation
+      get :confirm_admin, token: ac.token
+      expect(response).to_not be_success
+
+      user.reload
+      expect(user.admin?).to eq(false)
+    end
+
+    describe "post" do
+      it "gives the user admin access when POSTed" do
+        user = Fabricate(:user)
+        ac = AdminConfirmation.new(user, Fabricate(:admin))
+        ac.create_confirmation
+        post :confirm_admin, token: ac.token
+        expect(response).to be_success
+
+        user.reload
+        expect(user.admin?).to eq(true)
+      end
+    end
+
+  end
+
 end