Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
discourse/spec/components/email_updater_spec.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

344 lines
12 KiB
Ruby
Raw Normal View History

DEV: use #frozen_string_literal: true on all spec This change both speeds up specs (less strings to allocate) and helps catch cases where methods in Discourse are mutating inputs. Overall we will be migrating everything to use #frozen_string_literal: true it will take a while, but this is the first and safest move in this direction
2019-04-29 20:27:42 -04:00
# frozen_string_literal: true
SECURITY: Support for confirm old as well as new email accounts
2016-03-07 14:40:11 -05:00
require 'rails_helper'
describe EmailUpdater do
let(:old_email) { 'old.email@example.com' }
let(:new_email) { 'new.email@example.com' }
improve error message when trying to change email address to one used by a staged user
2016-03-21 14:36:26 -04:00
it "provides better error message when a staged user has the same email" do
Fabricate(:user, staged: true, email: new_email)
user = Fabricate(:user, email: old_email)
FIX: When admin changes another user's email auto-confirm the change (#9001) When admin changes a user's email from the preferences page of that user: * The user will not be sent an email to confirm that their email is changing. They will be sent a reset password email so they can set the password for their account at the new email address. * The user will still be sent an email to their old email to inform them that it was changed. * Admin and staff users still need to follow the same old + new confirm process, as do users changing their own email.
2020-02-19 18:52:21 -05:00
updater = EmailUpdater.new(guardian: user.guardian, user: user)
improve error message when trying to change email address to one used by a staged user
2016-03-21 14:36:26 -04:00
updater.change_to(new_email)
expect(updater.errors).to be_present
expect(updater.errors.messages[:base].first).to be I18n.t("change_email.error_staged")
end
FIX: Do not add same email multiple times (#12322) The user and an admin could create multiple email change requests for the same user. If any of the requests was validated and it became primary, the other request could not be deleted anymore.
2021-03-10 07:49:26 -05:00
it "does not create multiple email change requests" do
user = Fabricate(:user)
EmailUpdater.new(guardian: Fabricate(:admin).guardian, user: user).change_to(new_email)
EmailUpdater.new(guardian: Fabricate(:admin).guardian, user: user).change_to(new_email)
expect(user.email_change_requests.count).to eq(1)
end
FIX: When admin changes another user's email auto-confirm the change (#9001) When admin changes a user's email from the preferences page of that user: * The user will not be sent an email to confirm that their email is changing. They will be sent a reset password email so they can set the password for their account at the new email address. * The user will still be sent an email to their old email to inform them that it was changed. * Admin and staff users still need to follow the same old + new confirm process, as do users changing their own email.
2020-02-19 18:52:21 -05:00
context "when an admin is changing the email of another user" do
let(:admin) { Fabricate(:admin) }
DEV: Remove `initiating_user` keyword arg from `EmailUpdater`. The guardian contains the acting user.
2020-06-04 01:09:10 -04:00
let(:updater) { EmailUpdater.new(guardian: admin.guardian, user: user) }
FIX: When admin changes another user's email auto-confirm the change (#9001) When admin changes a user's email from the preferences page of that user: * The user will not be sent an email to confirm that their email is changing. They will be sent a reset password email so they can set the password for their account at the new email address. * The user will still be sent an email to their old email to inform them that it was changed. * Admin and staff users still need to follow the same old + new confirm process, as do users changing their own email.
2020-02-19 18:52:21 -05:00
def expect_old_email_job
Update rubocop to 2.3.1.
2020-07-24 05:16:52 -04:00
expect_enqueued_with(job: :critical_user_email, args: { to_address: old_email, type: :notify_old_email, user_id: user.id }) do
yield
end
FIX: When admin changes another user's email auto-confirm the change (#9001) When admin changes a user's email from the preferences page of that user: * The user will not be sent an email to confirm that their email is changing. They will be sent a reset password email so they can set the password for their account at the new email address. * The user will still be sent an email to their old email to inform them that it was changed. * Admin and staff users still need to follow the same old + new confirm process, as do users changing their own email.
2020-02-19 18:52:21 -05:00
end
context "for a regular user" do
let(:user) { Fabricate(:user, email: old_email) }
FIX: When admin changes an email for the user the user must confirm the change (#10830) See https://meta.discourse.org/t/changing-a-users-email/164512 for additional context. Previously when an admin user changed a user's email we assumed that they would need a password reset too because they likely did not have access to their account. This proved to be incorrect, as there are other reasons a user needs admin to change their email. This PR: * Changes the admin change email for user flow so the user is sent an email to confirm the change * We now record who the email change request was requested by * If the requested by user is admin and not the user we note this in the email sent to the user * We also make the confirm change email route open to anonymous users, so it can be clicked by the user even if they do not have access to their account. If there is a logged in user we make sure the confirmation matches the current user.
2020-10-06 23:02:24 -04:00
it "sends an email to the user for them to confirm the email change" do
expect_enqueued_with(job: :critical_user_email, args: { type: :confirm_new_email, to_address: new_email }) do
updater.change_to(new_email)
Update rubocop to 2.3.1.
2020-07-24 05:16:52 -04:00
end
FIX: When admin changes another user's email auto-confirm the change (#9001) When admin changes a user's email from the preferences page of that user: * The user will not be sent an email to confirm that their email is changing. They will be sent a reset password email so they can set the password for their account at the new email address. * The user will still be sent an email to their old email to inform them that it was changed. * Admin and staff users still need to follow the same old + new confirm process, as do users changing their own email.
2020-02-19 18:52:21 -05:00
end
FIX: When admin changes an email for the user the user must confirm the change (#10830) See https://meta.discourse.org/t/changing-a-users-email/164512 for additional context. Previously when an admin user changed a user's email we assumed that they would need a password reset too because they likely did not have access to their account. This proved to be incorrect, as there are other reasons a user needs admin to change their email. This PR: * Changes the admin change email for user flow so the user is sent an email to confirm the change * We now record who the email change request was requested by * If the requested by user is admin and not the user we note this in the email sent to the user * We also make the confirm change email route open to anonymous users, so it can be clicked by the user even if they do not have access to their account. If there is a logged in user we make sure the confirmation matches the current user.
2020-10-06 23:02:24 -04:00
it "logs the admin user as the requester" do
FIX: When admin changes another user's email auto-confirm the change (#9001) When admin changes a user's email from the preferences page of that user: * The user will not be sent an email to confirm that their email is changing. They will be sent a reset password email so they can set the password for their account at the new email address. * The user will still be sent an email to their old email to inform them that it was changed. * Admin and staff users still need to follow the same old + new confirm process, as do users changing their own email.
2020-02-19 18:52:21 -05:00
updater.change_to(new_email)
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens
2021-11-25 02:34:39 -05:00
expect(updater.change_req.requested_by).to eq(admin)
FIX: When admin changes another user's email auto-confirm the change (#9001) When admin changes a user's email from the preferences page of that user: * The user will not be sent an email to confirm that their email is changing. They will be sent a reset password email so they can set the password for their account at the new email address. * The user will still be sent an email to their old email to inform them that it was changed. * Admin and staff users still need to follow the same old + new confirm process, as do users changing their own email.
2020-02-19 18:52:21 -05:00
end
FIX: When admin changes an email for the user the user must confirm the change (#10830) See https://meta.discourse.org/t/changing-a-users-email/164512 for additional context. Previously when an admin user changed a user's email we assumed that they would need a password reset too because they likely did not have access to their account. This proved to be incorrect, as there are other reasons a user needs admin to change their email. This PR: * Changes the admin change email for user flow so the user is sent an email to confirm the change * We now record who the email change request was requested by * If the requested by user is admin and not the user we note this in the email sent to the user * We also make the confirm change email route open to anonymous users, so it can be clicked by the user even if they do not have access to their account. If there is a logged in user we make sure the confirmation matches the current user.
2020-10-06 23:02:24 -04:00
it "starts the new confirmation process" do
updater.change_to(new_email)
expect(updater.errors).to be_blank
FIX: Admin change email for user process improvements and fixes (#10755) See https://meta.discourse.org/t/changing-a-users-email/164512 for context. When admin changes an email for a user, we were incorrectly sending the password reset email to the user's old address. Also the new email does not come into effect until the reset password process is done, so this PR adds some notes to the admin to make this clearer.
2020-09-28 19:45:45 -04:00
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens
2021-11-25 02:34:39 -05:00
expect(updater.change_req).to be_present
expect(updater.change_req.change_state).to eq(EmailChangeRequest.states[:authorizing_new])
FIX: When admin changes an email for the user the user must confirm the change (#10830) See https://meta.discourse.org/t/changing-a-users-email/164512 for additional context. Previously when an admin user changed a user's email we assumed that they would need a password reset too because they likely did not have access to their account. This proved to be incorrect, as there are other reasons a user needs admin to change their email. This PR: * Changes the admin change email for user flow so the user is sent an email to confirm the change * We now record who the email change request was requested by * If the requested by user is admin and not the user we note this in the email sent to the user * We also make the confirm change email route open to anonymous users, so it can be clicked by the user even if they do not have access to their account. If there is a logged in user we make sure the confirmation matches the current user.
2020-10-06 23:02:24 -04:00
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens
2021-11-25 02:34:39 -05:00
expect(updater.change_req.old_email).to eq(old_email)
expect(updater.change_req.new_email).to eq(new_email)
expect(updater.change_req.old_email_token).to be_blank
expect(updater.change_req.new_email_token.email).to eq(new_email)
FIX: When admin changes another user's email auto-confirm the change (#9001) When admin changes a user's email from the preferences page of that user: * The user will not be sent an email to confirm that their email is changing. They will be sent a reset password email so they can set the password for their account at the new email address. * The user will still be sent an email to their old email to inform them that it was changed. * Admin and staff users still need to follow the same old + new confirm process, as do users changing their own email.
2020-02-19 18:52:21 -05:00
end
end
context "for a staff user" do
let(:user) { Fabricate(:moderator, email: old_email) }
FIX: When admin changes staff email still enforce old email confirm (#9007) A follow-up correction to this change https://github.com/discourse/discourse/pull/9001. When admin changes staff email still enforce old email confirm. Only allow auto-confirm of a new email by admin IF the target user is not also an admin. If an admin gets locked out of their email the site admin can use the rails console to solve the issue in a pinch.
2020-02-19 22:42:57 -05:00
before do
Update rubocop to 2.3.1.
2020-07-24 05:16:52 -04:00
expect_enqueued_with(job: :critical_user_email, args: { type: :confirm_old_email, to_address: old_email }) do
updater.change_to(new_email)
end
FIX: When admin changes another user's email auto-confirm the change (#9001) When admin changes a user's email from the preferences page of that user: * The user will not be sent an email to confirm that their email is changing. They will be sent a reset password email so they can set the password for their account at the new email address. * The user will still be sent an email to their old email to inform them that it was changed. * Admin and staff users still need to follow the same old + new confirm process, as do users changing their own email.
2020-02-19 18:52:21 -05:00
end
FIX: When admin changes staff email still enforce old email confirm (#9007) A follow-up correction to this change https://github.com/discourse/discourse/pull/9001. When admin changes staff email still enforce old email confirm. Only allow auto-confirm of a new email by admin IF the target user is not also an admin. If an admin gets locked out of their email the site admin can use the rails console to solve the issue in a pinch.
2020-02-19 22:42:57 -05:00
it "starts the old confirmation process" do
expect(updater.errors).to be_blank
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens
2021-11-25 02:34:39 -05:00
expect(updater.change_req.old_email).to eq(old_email)
expect(updater.change_req.new_email).to eq(new_email)
expect(updater.change_req).to be_present
expect(updater.change_req.change_state).to eq(EmailChangeRequest.states[:authorizing_old])
FIX: When admin changes staff email still enforce old email confirm (#9007) A follow-up correction to this change https://github.com/discourse/discourse/pull/9001. When admin changes staff email still enforce old email confirm. Only allow auto-confirm of a new email by admin IF the target user is not also an admin. If an admin gets locked out of their email the site admin can use the rails console to solve the issue in a pinch.
2020-02-19 22:42:57 -05:00
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens
2021-11-25 02:34:39 -05:00
expect(updater.change_req.old_email_token.email).to eq(old_email)
expect(updater.change_req.new_email_token).to be_blank
FIX: When admin changes another user's email auto-confirm the change (#9001) When admin changes a user's email from the preferences page of that user: * The user will not be sent an email to confirm that their email is changing. They will be sent a reset password email so they can set the password for their account at the new email address. * The user will still be sent an email to their old email to inform them that it was changed. * Admin and staff users still need to follow the same old + new confirm process, as do users changing their own email.
2020-02-19 18:52:21 -05:00
end
FIX: When admin changes staff email still enforce old email confirm (#9007) A follow-up correction to this change https://github.com/discourse/discourse/pull/9001. When admin changes staff email still enforce old email confirm. Only allow auto-confirm of a new email by admin IF the target user is not also an admin. If an admin gets locked out of their email the site admin can use the rails console to solve the issue in a pinch.
2020-02-19 22:42:57 -05:00
it "does not immediately confirm the request" do
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens
2021-11-25 02:34:39 -05:00
expect(updater.change_req.change_state).not_to eq(EmailChangeRequest.states[:complete])
FIX: When admin changes another user's email auto-confirm the change (#9001) When admin changes a user's email from the preferences page of that user: * The user will not be sent an email to confirm that their email is changing. They will be sent a reset password email so they can set the password for their account at the new email address. * The user will still be sent an email to their old email to inform them that it was changed. * Admin and staff users still need to follow the same old + new confirm process, as do users changing their own email.
2020-02-19 18:52:21 -05:00
end
end
context "when changing their own email" do
let(:user) { admin }
before do
admin.update(email: old_email)
Update rubocop to 2.3.1.
2020-07-24 05:16:52 -04:00
expect_enqueued_with(job: :critical_user_email, args: { type: :confirm_old_email, to_address: old_email }) do
updater.change_to(new_email)
end
FIX: When admin changes another user's email auto-confirm the change (#9001) When admin changes a user's email from the preferences page of that user: * The user will not be sent an email to confirm that their email is changing. They will be sent a reset password email so they can set the password for their account at the new email address. * The user will still be sent an email to their old email to inform them that it was changed. * Admin and staff users still need to follow the same old + new confirm process, as do users changing their own email.
2020-02-19 18:52:21 -05:00
end
FIX: When admin changes an email for the user the user must confirm the change (#10830) See https://meta.discourse.org/t/changing-a-users-email/164512 for additional context. Previously when an admin user changed a user's email we assumed that they would need a password reset too because they likely did not have access to their account. This proved to be incorrect, as there are other reasons a user needs admin to change their email. This PR: * Changes the admin change email for user flow so the user is sent an email to confirm the change * We now record who the email change request was requested by * If the requested by user is admin and not the user we note this in the email sent to the user * We also make the confirm change email route open to anonymous users, so it can be clicked by the user even if they do not have access to their account. If there is a logged in user we make sure the confirmation matches the current user.
2020-10-06 23:02:24 -04:00
it "logs the user as the requester" do
updater.change_to(new_email)
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens
2021-11-25 02:34:39 -05:00
expect(updater.change_req.requested_by).to eq(user)
FIX: When admin changes an email for the user the user must confirm the change (#10830) See https://meta.discourse.org/t/changing-a-users-email/164512 for additional context. Previously when an admin user changed a user's email we assumed that they would need a password reset too because they likely did not have access to their account. This proved to be incorrect, as there are other reasons a user needs admin to change their email. This PR: * Changes the admin change email for user flow so the user is sent an email to confirm the change * We now record who the email change request was requested by * If the requested by user is admin and not the user we note this in the email sent to the user * We also make the confirm change email route open to anonymous users, so it can be clicked by the user even if they do not have access to their account. If there is a logged in user we make sure the confirmation matches the current user.
2020-10-06 23:02:24 -04:00
end
FIX: When admin changes another user's email auto-confirm the change (#9001) When admin changes a user's email from the preferences page of that user: * The user will not be sent an email to confirm that their email is changing. They will be sent a reset password email so they can set the password for their account at the new email address. * The user will still be sent an email to their old email to inform them that it was changed. * Admin and staff users still need to follow the same old + new confirm process, as do users changing their own email.
2020-02-19 18:52:21 -05:00
it "starts the old confirmation process" do
expect(updater.errors).to be_blank
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens
2021-11-25 02:34:39 -05:00
expect(updater.change_req.old_email).to eq(old_email)
expect(updater.change_req.new_email).to eq(new_email)
expect(updater.change_req).to be_present
expect(updater.change_req.change_state).to eq(EmailChangeRequest.states[:authorizing_old])
FIX: When admin changes another user's email auto-confirm the change (#9001) When admin changes a user's email from the preferences page of that user: * The user will not be sent an email to confirm that their email is changing. They will be sent a reset password email so they can set the password for their account at the new email address. * The user will still be sent an email to their old email to inform them that it was changed. * Admin and staff users still need to follow the same old + new confirm process, as do users changing their own email.
2020-02-19 18:52:21 -05:00
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens
2021-11-25 02:34:39 -05:00
expect(updater.change_req.old_email_token.email).to eq(old_email)
expect(updater.change_req.new_email_token).to be_blank
FIX: When admin changes another user's email auto-confirm the change (#9001) When admin changes a user's email from the preferences page of that user: * The user will not be sent an email to confirm that their email is changing. They will be sent a reset password email so they can set the password for their account at the new email address. * The user will still be sent an email to their old email to inform them that it was changed. * Admin and staff users still need to follow the same old + new confirm process, as do users changing their own email.
2020-02-19 18:52:21 -05:00
end
it "does not immediately confirm the request" do
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens
2021-11-25 02:34:39 -05:00
expect(updater.change_req.change_state).not_to eq(EmailChangeRequest.states[:complete])
FIX: When admin changes another user's email auto-confirm the change (#9001) When admin changes a user's email from the preferences page of that user: * The user will not be sent an email to confirm that their email is changing. They will be sent a reset password email so they can set the password for their account at the new email address. * The user will still be sent an email to their old email to inform them that it was changed. * Admin and staff users still need to follow the same old + new confirm process, as do users changing their own email.
2020-02-19 18:52:21 -05:00
end
end
end
SECURITY: Support for confirm old as well as new email accounts
2016-03-07 14:40:11 -05:00
context 'as a regular user' do
let(:user) { Fabricate(:user, email: old_email) }
FIX: When admin changes another user's email auto-confirm the change (#9001) When admin changes a user's email from the preferences page of that user: * The user will not be sent an email to confirm that their email is changing. They will be sent a reset password email so they can set the password for their account at the new email address. * The user will still be sent an email to their old email to inform them that it was changed. * Admin and staff users still need to follow the same old + new confirm process, as do users changing their own email.
2020-02-19 18:52:21 -05:00
let(:updater) { EmailUpdater.new(guardian: user.guardian, user: user) }
SECURITY: Support for confirm old as well as new email accounts
2016-03-07 14:40:11 -05:00
FEATURE: Improve UX support for multiple email addresses (#9691)
2020-06-10 12:11:49 -04:00
context "changing primary email" do
before do
Update rubocop to 2.3.1.
2020-07-24 05:16:52 -04:00
expect_enqueued_with(job: :critical_user_email, args: { type: :confirm_new_email, to_address: new_email }) do
updater.change_to(new_email)
end
FEATURE: Improve UX support for multiple email addresses (#9691)
2020-06-10 12:11:49 -04:00
end
SECURITY: Support for confirm old as well as new email accounts
2016-03-07 14:40:11 -05:00
FEATURE: Improve UX support for multiple email addresses (#9691)
2020-06-10 12:11:49 -04:00
it "starts the new confirmation process" do
expect(updater.errors).to be_blank
SECURITY: Support for confirm old as well as new email accounts
2016-03-07 14:40:11 -05:00
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens
2021-11-25 02:34:39 -05:00
expect(updater.change_req).to be_present
expect(updater.change_req.change_state).to eq(EmailChangeRequest.states[:authorizing_new])
SECURITY: Support for confirm old as well as new email accounts
2016-03-07 14:40:11 -05:00
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens
2021-11-25 02:34:39 -05:00
expect(updater.change_req.old_email).to eq(old_email)
expect(updater.change_req.new_email).to eq(new_email)
expect(updater.change_req.old_email_token).to be_blank
expect(updater.change_req.new_email_token.email).to eq(new_email)
FEATURE: Improve UX support for multiple email addresses (#9691)
2020-06-10 12:11:49 -04:00
end
SECURITY: Support for confirm old as well as new email accounts
2016-03-07 14:40:11 -05:00
FEATURE: Improve UX support for multiple email addresses (#9691)
2020-06-10 12:11:49 -04:00
context 'confirming an invalid token' do
it "produces an error" do
updater.confirm('random')
expect(updater.errors).to be_present
expect(user.reload.email).not_to eq(new_email)
end
SECURITY: Support for confirm old as well as new email accounts
2016-03-07 14:40:11 -05:00
end
FEATURE: Improve UX support for multiple email addresses (#9691)
2020-06-10 12:11:49 -04:00
context 'confirming a valid token' do
it "updates the user's email" do
FIX: : trigger `user_updated` event only if email changed after user creation. Follow-up to 1460d7957c5d9b9300034e5e36675cf44cc3bc0f
2020-07-16 08:51:30 -04:00
event = DiscourseEvent.track_events {
Update rubocop to 2.3.1.
2020-07-24 05:16:52 -04:00
expect_enqueued_with(job: :critical_user_email, args: { type: :notify_old_email, to_address: old_email }) do
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens
2021-11-25 02:34:39 -05:00
updater.confirm(updater.change_req.new_email_token.token)
Update rubocop to 2.3.1.
2020-07-24 05:16:52 -04:00
end
FIX: : trigger `user_updated` event only if email changed after user creation. Follow-up to 1460d7957c5d9b9300034e5e36675cf44cc3bc0f
2020-07-16 08:51:30 -04:00
}.last
FEATURE: Improve UX support for multiple email addresses (#9691)
2020-06-10 12:11:49 -04:00
expect(updater.errors).to be_blank
expect(user.reload.email).to eq(new_email)
SECURITY: Support for confirm old as well as new email accounts
2016-03-07 14:40:11 -05:00
FIX: : trigger `user_updated` event only if email changed after user creation. Follow-up to 1460d7957c5d9b9300034e5e36675cf44cc3bc0f
2020-07-16 08:51:30 -04:00
expect(event[:event_name]).to eq(:user_updated)
expect(event[:params].first).to eq(user)
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens
2021-11-25 02:34:39 -05:00
updater.change_req.reload
expect(updater.change_req.change_state).to eq(EmailChangeRequest.states[:complete])
FEATURE: Improve UX support for multiple email addresses (#9691)
2020-06-10 12:11:49 -04:00
end
SECURITY: Support for confirm old as well as new email accounts
2016-03-07 14:40:11 -05:00
end
end
FEATURE: Improve UX support for multiple email addresses (#9691)
2020-06-10 12:11:49 -04:00
context "adding an email" do
before do
Update rubocop to 2.3.1.
2020-07-24 05:16:52 -04:00
expect_enqueued_with(job: :critical_user_email, args: { type: :confirm_new_email, to_address: new_email }) do
updater.change_to(new_email, add: true)
end
FEATURE: Improve UX support for multiple email addresses (#9691)
2020-06-10 12:11:49 -04:00
end
context 'confirming a valid token' do
it "adds a user email" do
DEV: Add test (#10064) Follow-up-to 84dfaad137a215bf722388cccbe22f593279f5a2
2020-06-17 14:41:16 -04:00
expect(UserHistory.where(action: UserHistory.actions[:add_email], acting_user_id: user.id).last).to be_present
FIX: : trigger `user_updated` event only if email changed after user creation. Follow-up to 1460d7957c5d9b9300034e5e36675cf44cc3bc0f
2020-07-16 08:51:30 -04:00
event = DiscourseEvent.track_events {
Update rubocop to 2.3.1.
2020-07-24 05:16:52 -04:00
expect_enqueued_with(job: :critical_user_email, args: { type: :notify_old_email_add, to_address: old_email }) do
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens
2021-11-25 02:34:39 -05:00
updater.confirm(updater.change_req.new_email_token.token)
Update rubocop to 2.3.1.
2020-07-24 05:16:52 -04:00
end
FIX: : trigger `user_updated` event only if email changed after user creation. Follow-up to 1460d7957c5d9b9300034e5e36675cf44cc3bc0f
2020-07-16 08:51:30 -04:00
}.last
FEATURE: Improve UX support for multiple email addresses (#9691)
2020-06-10 12:11:49 -04:00
expect(updater.errors).to be_blank
expect(UserEmail.where(user_id: user.id).pluck(:email)).to contain_exactly(user.email, new_email)
FIX: : trigger `user_updated` event only if email changed after user creation. Follow-up to 1460d7957c5d9b9300034e5e36675cf44cc3bc0f
2020-07-16 08:51:30 -04:00
expect(event[:event_name]).to eq(:user_updated)
expect(event[:params].first).to eq(user)
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens
2021-11-25 02:34:39 -05:00
updater.change_req.reload
expect(updater.change_req.change_state).to eq(EmailChangeRequest.states[:complete])
FEATURE: Improve UX support for multiple email addresses (#9691)
2020-06-10 12:11:49 -04:00
end
end
FIX: Allow users to add emails which were deleted before
2020-06-11 07:53:41 -04:00
context 'that was deleted before' do
it 'works' do
Update rubocop to 2.3.1.
2020-07-24 05:16:52 -04:00
expect_enqueued_with(job: :critical_user_email, args: { type: :notify_old_email_add, to_address: old_email }) do
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens
2021-11-25 02:34:39 -05:00
updater.confirm(updater.change_req.new_email_token.token)
Update rubocop to 2.3.1.
2020-07-24 05:16:52 -04:00
end
FIX: Allow users to add emails which were deleted before
2020-06-11 07:53:41 -04:00
expect(user.reload.user_emails.pluck(:email)).to contain_exactly(old_email, new_email)
user.user_emails.where(email: new_email).delete_all
expect(user.reload.user_emails.pluck(:email)).to contain_exactly(old_email)
Update rubocop to 2.3.1.
2020-07-24 05:16:52 -04:00
expect_enqueued_with(job: :critical_user_email, args: { type: :confirm_new_email, to_address: new_email }) do
updater.change_to(new_email, add: true)
end
expect_enqueued_with(job: :critical_user_email, args: { type: :notify_old_email_add, to_address: old_email }) do
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens
2021-11-25 02:34:39 -05:00
updater.confirm(updater.change_req.new_email_token.token)
Update rubocop to 2.3.1.
2020-07-24 05:16:52 -04:00
end
FIX: Allow users to add emails which were deleted before
2020-06-11 07:53:41 -04:00
expect(user.reload.user_emails.pluck(:email)).to contain_exactly(old_email, new_email)
end
end
FEATURE: Improve UX support for multiple email addresses (#9691)
2020-06-10 12:11:49 -04:00
end
FEATURE: add maximum limit for secondary emails (#12599)
2021-04-05 11:01:42 -04:00
context "max_allowed_secondary_emails" do
let(:secondary_email_1) { "secondary_1@email.com" }
let(:secondary_email_2) { "secondary_2@email.com" }
before do
SiteSetting.max_allowed_secondary_emails = 2
Fabricate(:secondary_email, user: user, primary: false, email: secondary_email_1)
Fabricate(:secondary_email, user: user, primary: false, email: secondary_email_2)
end
it "max secondary_emails limit reached" do
updater.change_to(new_email, add: true)
expect(updater.errors).to be_present
expect(updater.errors.messages[:base].first).to be I18n.t("change_email.max_secondary_emails_error")
end
end
SECURITY: Support for confirm old as well as new email accounts
2016-03-07 14:40:11 -05:00
end
context 'as a staff user' do
let(:user) { Fabricate(:moderator, email: old_email) }
FIX: When admin changes another user's email auto-confirm the change (#9001) When admin changes a user's email from the preferences page of that user: * The user will not be sent an email to confirm that their email is changing. They will be sent a reset password email so they can set the password for their account at the new email address. * The user will still be sent an email to their old email to inform them that it was changed. * Admin and staff users still need to follow the same old + new confirm process, as do users changing their own email.
2020-02-19 18:52:21 -05:00
let(:updater) { EmailUpdater.new(guardian: user.guardian, user: user) }
SECURITY: Support for confirm old as well as new email accounts
2016-03-07 14:40:11 -05:00
before do
Update rubocop to 2.3.1.
2020-07-24 05:16:52 -04:00
expect_enqueued_with(job: :critical_user_email, args: { type: :confirm_old_email, to_address: old_email }) do
updater.change_to(new_email)
end
SECURITY: Support for confirm old as well as new email accounts
2016-03-07 14:40:11 -05:00
end
it "starts the old confirmation process" do
expect(updater.errors).to be_blank
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens
2021-11-25 02:34:39 -05:00
expect(updater.change_req.old_email).to eq(old_email)
expect(updater.change_req.new_email).to eq(new_email)
expect(updater.change_req).to be_present
expect(updater.change_req.change_state).to eq(EmailChangeRequest.states[:authorizing_old])
SECURITY: Support for confirm old as well as new email accounts
2016-03-07 14:40:11 -05:00
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens
2021-11-25 02:34:39 -05:00
expect(updater.change_req.old_email_token.email).to eq(old_email)
expect(updater.change_req.new_email_token).to be_blank
SECURITY: Support for confirm old as well as new email accounts
2016-03-07 14:40:11 -05:00
end
context 'confirming an invalid token' do
it "produces an error" do
updater.confirm('random')
expect(updater.errors).to be_present
expect(user.reload.email).not_to eq(new_email)
end
end
context 'confirming a valid token' do
before do
Update rubocop to 2.3.1.
2020-07-24 05:16:52 -04:00
expect_enqueued_with(job: :critical_user_email, args: { type: :confirm_new_email, to_address: new_email }) do
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens
2021-11-25 02:34:39 -05:00
@old_token = updater.change_req.old_email_token.token
updater.confirm(@old_token)
Update rubocop to 2.3.1.
2020-07-24 05:16:52 -04:00
end
SECURITY: Support for confirm old as well as new email accounts
2016-03-07 14:40:11 -05:00
end
it "starts the new update process" do
expect(updater.errors).to be_blank
expect(user.reload.email).to eq(old_email)
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens
2021-11-25 02:34:39 -05:00
expect(updater.change_req.change_state).to eq(EmailChangeRequest.states[:authorizing_new])
expect(updater.change_req.new_email_token).to be_present
SECURITY: Support for confirm old as well as new email accounts
2016-03-07 14:40:11 -05:00
end
it "cannot be confirmed twice" do
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens
2021-11-25 02:34:39 -05:00
updater.confirm(@old_token)
SECURITY: Support for confirm old as well as new email accounts
2016-03-07 14:40:11 -05:00
expect(updater.errors).to be_present
expect(user.reload.email).to eq(old_email)
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens
2021-11-25 02:34:39 -05:00
updater.change_req.reload
expect(updater.change_req.change_state).to eq(EmailChangeRequest.states[:authorizing_new])
expect(updater.change_req.new_email_token.email).to eq(new_email)
SECURITY: Support for confirm old as well as new email accounts
2016-03-07 14:40:11 -05:00
end
context "completing the new update process" do
before do
Update rubocop to 2.3.1.
2020-07-24 05:16:52 -04:00
expect_not_enqueued_with(job: :critical_user_email, args: { type: :notify_old_email, to_address: old_email }) do
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens
2021-11-25 02:34:39 -05:00
updater.confirm(updater.change_req.new_email_token.token)
Update rubocop to 2.3.1.
2020-07-24 05:16:52 -04:00
end
SECURITY: Support for confirm old as well as new email accounts
2016-03-07 14:40:11 -05:00
end
it "updates the user's email" do
expect(updater.errors).to be_blank
expect(user.reload.email).to eq(new_email)
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens
2021-11-25 02:34:39 -05:00
updater.change_req.reload
expect(updater.change_req.change_state).to eq(EmailChangeRequest.states[:complete])
SECURITY: Support for confirm old as well as new email accounts
2016-03-07 14:40:11 -05:00
end
end
end
end
FEATURE: the hide_email_address_taken setting works with the change email address form in user preferences
2017-10-04 11:41:08 -04:00
context 'hide_email_address_taken is enabled' do
before do
SiteSetting.hide_email_address_taken = true
end
let(:user) { Fabricate(:user, email: old_email) }
let(:existing) { Fabricate(:user, email: new_email) }
FIX: When admin changes another user's email auto-confirm the change (#9001) When admin changes a user's email from the preferences page of that user: * The user will not be sent an email to confirm that their email is changing. They will be sent a reset password email so they can set the password for their account at the new email address. * The user will still be sent an email to their old email to inform them that it was changed. * Admin and staff users still need to follow the same old + new confirm process, as do users changing their own email.
2020-02-19 18:52:21 -05:00
let(:updater) { EmailUpdater.new(guardian: user.guardian, user: user) }
FEATURE: the hide_email_address_taken setting works with the change email address form in user preferences
2017-10-04 11:41:08 -04:00
it "doesn't error if user exists with new email" do
updater.change_to(existing.email)
expect(updater.errors).to be_blank
expect(user.email_change_requests).to be_empty
end
it 'sends an email to the owner of the account with the new email' do
Update rubocop to 2.3.1.
2020-07-24 05:16:52 -04:00
expect_enqueued_with(job: :critical_user_email, args: { type: :account_exists, user_id: existing.id }) do
updater.change_to(existing.email)
end
FEATURE: the hide_email_address_taken setting works with the change email address form in user preferences
2017-10-04 11:41:08 -04:00
end
end
SECURITY: Support for confirm old as well as new email accounts
2016-03-07 14:40:11 -05:00
end