Don't allow signups without a password

2013-02-12 15:42:04 -05:00 · 2013-02-12 15:42:04 -05:00 · 824b09389f
parent d7f3241285
commit 824b09389f
3 changed files with 31 additions and 2 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -141,6 +141,8 @@ class UsersController < ApplicationController
    auth = session[:authentication]
    if auth && auth[:email] == params[:email] && auth[:email_valid]
      user.active = true
+    else
+      user.password_required
    end

    Mothership.register_nickname( user.username, user.email ) if user.valid? and SiteSetting.call_mothership?
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -241,6 +241,11 @@ class User < ActiveRecord::Base
    end
  end

+  # Indicate that this is NOT a passwordless account for the purposes of validation
+  def password_required
+    @password_required = true
+  end
+
  def confirm_password?(password)
    return false unless self.password_hash && self.salt
    self.password_hash == hash_password(password,self.salt)
@ -455,8 +460,8 @@ class User < ActiveRecord::Base
    end

    def password_validator
-      if @raw_password
-        return errors.add(:password, "must be 6 letters or longer") if @raw_password.length < 6
+      if (@raw_password and @raw_password.length < 6) or (@password_required and !@raw_password)
+        return errors.add(:password, "must be 6 letters or longer")
      end
    end

--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@ -379,6 +379,28 @@ describe UsersController do
      let(:create_params) { {:name => @user.name, :username => @user.username, :password => "strongpassword", :email => @user.email, :challenge => 'abc'} }
      it_should_behave_like 'honeypot fails'
    end
+
+    shared_examples_for 'failed signup due to password problem' do
+      it 'should not create a new User' do
+        expect { xhr :post, :create, create_params }.to_not change { User.count }
+      end
+
+      it 'should report failed' do
+        xhr :post, :create, create_params
+        json = JSON::parse(response.body)
+        json["success"].should_not be_true
+      end
+    end
+
+    context 'when password is blank' do
+      let(:create_params) { {:name => @user.name, :username => @user.username, :password => "", :email => @user.email} }
+      it_should_behave_like 'failed signup due to password problem'
+    end
+
+    context 'when password param is missing' do
+      let(:create_params) { {:name => @user.name, :username => @user.username, :email => @user.email} }
+      it_should_behave_like 'failed signup due to password problem'
+    end
  end

  context '.username' do