github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-25 00:32:52 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Check honeypot/challenge value on activation too

Browse Source
This commit is contained in:
Robin Ward
2014-07-15 14:07:19 -04:00
parent 3eb0afe29b
commit 4f416bf6ce
4 changed files with 37 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
app/controllers/users_controller.rb
View File

@ -283,6 +283,7 @@ class UsersController < ApplicationController
end end
def perform_account_activation def perform_account_activation
raise Discourse::InvalidAccess.new if honeypot_or_challenge_fails?(params)
if @user = EmailToken.confirm(params[:token]) if @user = EmailToken.confirm(params[:token])
# Log in the user unless they need to be approved # Log in the user unless they need to be approved

1
app/views/layouts/no_js.html.erb
View File

@ -6,6 +6,7 @@
<meta name="description" content=""> <meta name="description" content="">
<%= render partial: "layouts/head" %> <%= render partial: "layouts/head" %>
<%= raw SiteContent.content_for(:head) %> <%= raw SiteContent.content_for(:head) %>
<%= yield(:no_js_head) %>
</head> </head>
<body> <body>
<%- unless customization_disabled? %> <%- unless customization_disabled? %>

28
app/views/users/activate_account.html.erb
View File

@ -1,26 +1,40 @@
<div id='simple-container'> <div id='simple-container'>
<h2><%= t 'activation.welcome_to', site_name: SiteSetting.title %></h2> <h2><%= t 'activation.welcome_to', site_name: SiteSetting.title %></h2>
<br/> <br/>
<button class='btn' id='activate-account-button'><%= t 'activation.action' %></button> <button class='btn' id='activate-account-button'><%= t 'activation.action' %></button>
<%= form_tag(perform_activate_account_path, method: :put, id: 'activate-account-form') do %> <%= form_tag(perform_activate_account_path, method: :put, id: 'activate-account-form') do %>
<%= hidden_field_tag 'password_confirmation' %>
<%= hidden_field_tag 'challenge' %>
<% end %> <% end %>
</div> </div>
<%- content_for(:no_js_head) do %>
<%= script "vendor" %>
<%- end %>
<script language="javascript"> <script language="javascript">
(function() { (function() {
var t1 = new Date().getTime(), function activateAccount() {
button = document.getElementById('activate-account-button'), $('#activate-account-button').prop('disabled', true);
form = document.getElementById('activate-account-form'); $.ajax("/users/hp").then(function(hp) {
$('#password_confirmation').val(hp.value);
$('#challenge').val(hp.challenge.split("").reverse().join(""));
$('#activate-account-form').submit();
}).fail(function() {
$('#activate-account-button').prop('disabled', false);
console.log('test');
});
}
button.addEventListener('click', function() { var t0 = new Date().getTime();
var diff = new Date().getTime() - t1; $('#activate-account-button').on('click', function() {
var diff = new Date().getTime() - t0;
// Ensure the form has been visible for a few ms before allowing the // Ensure the form has been visible for a few ms before allowing the
// user to submit. // user to submit.
if (diff > 50) { if (diff > 50) {
form.submit(); activateAccount();
} }
}); });
})(); })();

20
spec/controllers/users_controller_spec.rb
View File

@ -2,11 +2,6 @@ require 'spec_helper'
describe UsersController do describe UsersController do
before do
UsersController.any_instance.stubs(:honeypot_value).returns(nil)
UsersController.any_instance.stubs(:challenge_value).returns(nil)
end
describe '.show' do describe '.show' do
let!(:user) { log_in } let!(:user) { log_in }
@ -78,6 +73,10 @@ describe UsersController do
end end
describe '.activate_account' do describe '.activate_account' do
before do
UsersController.any_instance.stubs(:honeypot_or_challenge_fails?).returns(false)
end
context 'invalid token' do context 'invalid token' do
before do before do
EmailToken.expects(:confirm).with('asdfasdf').returns(nil) EmailToken.expects(:confirm).with('asdfasdf').returns(nil)
@ -112,7 +111,14 @@ describe UsersController do
user.expects(:enqueue_welcome_message).with('welcome_user').never user.expects(:enqueue_welcome_message).with('welcome_user').never
put :perform_account_activation, token: 'asdfasdf' put :perform_account_activation, token: 'asdfasdf'
end end
end
context "honeypot" do
it "raises an error if the honeypot is invalid" do
UsersController.any_instance.stubs(:honeypot_or_challenge_fails?).returns(true)
put :perform_account_activation, token: 'asdfasdf'
response.should_not be_success
end
end end
context 'response' do context 'response' do
@ -137,7 +143,6 @@ describe UsersController do
it "doesn't set @needs_approval" do it "doesn't set @needs_approval" do
assigns[:needs_approval].should be_blank assigns[:needs_approval].should be_blank
end end
end end
context 'user is not approved' do context 'user is not approved' do
@ -268,7 +273,10 @@ describe UsersController do
end end
describe '#create' do describe '#create' do
before do before do
UsersController.any_instance.stubs(:honeypot_value).returns(nil)
UsersController.any_instance.stubs(:challenge_value).returns(nil)
SiteSetting.stubs(:allow_new_registrations).returns(true) SiteSetting.stubs(:allow_new_registrations).returns(true)
@user = Fabricate.build(:user) @user = Fabricate.build(:user)
@user.password = "strongpassword" @user.password = "strongpassword"