FIX: Do not redirect to a topic user cannot see (#13550)
Inviting a user to a private topic used to redirect them to a 404 page immediately after sign up.
This commit is contained in:
parent
95038856c9
commit
16227e38ac
|
@ -251,11 +251,19 @@ class InvitesController < ApplicationController
|
||||||
topic = invite.topics.first
|
topic = invite.topics.first
|
||||||
response = {}
|
response = {}
|
||||||
|
|
||||||
if user.present? && user.active?
|
if user.present?
|
||||||
response[:redirect_to] = topic.present? ? path(topic.relative_url) : path("/")
|
if user.active?
|
||||||
elsif user.present?
|
if user.guardian.can_see?(topic)
|
||||||
|
response[:redirect_to] = path(topic.relative_url)
|
||||||
|
else
|
||||||
|
response[:redirect_to] = path("/")
|
||||||
|
end
|
||||||
|
else
|
||||||
response[:message] = I18n.t('invite.confirm_email')
|
response[:message] = I18n.t('invite.confirm_email')
|
||||||
cookies[:destination_url] = path(topic.relative_url) if topic.present?
|
if user.guardian.can_see?(topic)
|
||||||
|
cookies[:destination_url] = path(topic.relative_url)
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
render json: success_json.merge(response)
|
render json: success_json.merge(response)
|
||||||
|
|
|
@ -684,6 +684,40 @@ describe InvitesController do
|
||||||
expect(response.body).to include(I18n.t('login.already_logged_in', current_user: user.username))
|
expect(response.body).to include(I18n.t('login.already_logged_in', current_user: user.username))
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'topic invites' do
|
||||||
|
fab!(:invite) { Fabricate(:invite, email: 'test@example.com') }
|
||||||
|
|
||||||
|
fab!(:secured_category) do
|
||||||
|
secured_category = Fabricate(:category)
|
||||||
|
secured_category.permissions = { staff: :full }
|
||||||
|
secured_category.save!
|
||||||
|
secured_category
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'redirects user to topic if activated' do
|
||||||
|
topic = Fabricate(:topic)
|
||||||
|
TopicInvite.create!(invite: invite, topic: topic)
|
||||||
|
|
||||||
|
put "/invites/show/#{invite.invite_key}.json", params: { email_token: invite.email_token }
|
||||||
|
expect(response.parsed_body['redirect_to']).to eq(topic.relative_url)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'sets destination_url cookie if user is not activated' do
|
||||||
|
topic = Fabricate(:topic)
|
||||||
|
TopicInvite.create!(invite: invite, topic: topic)
|
||||||
|
|
||||||
|
put "/invites/show/#{invite.invite_key}.json"
|
||||||
|
expect(cookies['destination_url']).to eq(topic.relative_url)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'does not redirect user if they cannot see topic' do
|
||||||
|
TopicInvite.create!(invite: invite, topic: Fabricate(:topic, category: secured_category))
|
||||||
|
|
||||||
|
put "/invites/show/#{invite.invite_key}.json", params: { email_token: invite.email_token }
|
||||||
|
expect(response.parsed_body['redirect_to']).to eq("/")
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context '#destroy_all_expired' do
|
context '#destroy_all_expired' do
|
||||||
|
|
Loading…
Reference in New Issue