Check that an invite link is valid before bypassing approval mode (ma…

…stodon#10657) * Check that an invite link is valid before bypassing approval mode Fixes mastodon#10656 * Add tests * Only consider valid invite links in registration controller * fixup
best-friends · May 4, 2019 · f3a40bf · f3a40bf
1 parent a5c0561
commit f3a40bf
Show file tree

Hide file tree

Showing 3 changed files with 86 additions and 2 deletions.
diff --git a/app/controllers/auth/registrations_controller.rb b/app/controllers/auth/registrations_controller.rb
@@ -91,7 +91,8 @@ def set_body_classes
  end
 
  def set_invite
- @invite = invite_code.present? ? Invite.find_by(code: invite_code) : nil
+ invite = invite_code.present? ? Invite.find_by(code: invite_code) : nil
+ @invite = invite&.valid_for_use? ? invite : nil
  end
 
  def determine_layout

diff --git a/app/models/user.rb b/app/models/user.rb
@@ -114,7 +114,7 @@ def confirmed?
  end
 
  def invited?
- invite_id.present?
+ invite_id.present? && invite.valid_for_use?
  end
 
  def disable!

diff --git a/spec/controllers/auth/registrations_controller_spec.rb b/spec/controllers/auth/registrations_controller_spec.rb
@@ -107,6 +107,89 @@
  end
  end
 
+ context 'approval-based registrations without invite' do
+ around do |example|
+ registrations_mode = Setting.registrations_mode
+ example.run
+ Setting.registrations_mode = registrations_mode
+ end
+
+ subject do
+ Setting.registrations_mode = 'approved'
+ request.headers["Accept-Language"] = accept_language
+ post :create, params: { user: { account_attributes: { username: 'test' }, email: 'test@example.com', password: '12345678', password_confirmation: '12345678' } }
+ end
+
+ it 'redirects to login page' do
+ subject
+ expect(response).to redirect_to new_user_session_path
+ end
+
+ it 'creates user' do
+ subject
+ user = User.find_by(email: 'test@example.com')
+ expect(user).to_not be_nil
+ expect(user.locale).to eq(accept_language)
+ expect(user.approved).to eq(false)
+ end
+ end
+
+ context 'approval-based registrations with expired invite' do
+ around do |example|
+ registrations_mode = Setting.registrations_mode
+ example.run
+ Setting.registrations_mode = registrations_mode
+ end
+
+ subject do
+ Setting.registrations_mode = 'approved'
+ request.headers["Accept-Language"] = accept_language
+ invite = Fabricate(:invite, max_uses: nil, expires_at: 1.hour.ago)
+ post :create, params: { user: { account_attributes: { username: 'test' }, email: 'test@example.com', password: '12345678', password_confirmation: '12345678', 'invite_code': invite.code } }
+ end
+
+ it 'redirects to login page' do
+ subject
+ expect(response).to redirect_to new_user_session_path
+ end
+
+ it 'creates user' do
+ subject
+ user = User.find_by(email: 'test@example.com')
+ expect(user).to_not be_nil
+ expect(user.locale).to eq(accept_language)
+ expect(user.approved).to eq(false)
+ end
+ end
+
+ context 'approval-based registrations with valid invite' do
+ around do |example|
+ registrations_mode = Setting.registrations_mode
+ example.run
+ Setting.registrations_mode = registrations_mode
+ end
+
+ subject do
+ Setting.registrations_mode = 'approved'
+ request.headers["Accept-Language"] = accept_language
+ invite = Fabricate(:invite, max_uses: nil, expires_at: 1.hour.from_now)
+ post :create, params: { user: { account_attributes: { username: 'test' }, email: 'test@example.com', password: '12345678', password_confirmation: '12345678', 'invite_code': invite.code } }
+ end
+
+ it 'redirects to login page' do
+ subject
+ expect(response).to redirect_to new_user_session_path
+ end
+
+ it 'creates user' do
+ subject
+ user = User.find_by(email: 'test@example.com')
+ expect(user).to_not be_nil
+ expect(user.locale).to eq(accept_language)
+ expect(user.approved).to eq(true)
+ end
+ end
+
  it 'does nothing if user already exists' do
  Fabricate(:user, account: Fabricate(:account, username: 'test'))
  subject