FEATURE: forgot_password_strict setting also prevents reporting that an email address is taken during signup

2025-06-18 09:05:03 +08:00 · 2017-10-03 14:08:37 -04:00
parent cc4a102b26
commit e47f5cedd2
5 changed files with 74 additions and 0 deletions
--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@ -621,6 +621,28 @@ describe UsersController do
          expect(session[SessionController::ACTIVATE_USER_KEY]).to be_present
        end
      end
+
+      context 'users already exists with given email' do
+        let!(:existing) { Fabricate(:user, email: post_user_params[:email]) }
+
+        it 'returns an error if forgot_password_strict is disabled' do
+          SiteSetting.forgot_password_strict = false
+          post_user
+          json = JSON.parse(response.body)
+          expect(json['success']).to eq(false)
+          expect(json['message']).to be_present
+        end
+
+        it 'returns success if forgot_password_strict is enabled' do
+          SiteSetting.forgot_password_strict = true
+          expect {
+            post_user
+          }.to_not change { User.count }
+          json = JSON.parse(response.body)
+          expect(json['active']).to be_falsey
+          expect(session["user_created_message"]).to be_present
+        end
+      end
    end

    context "creating as active" do