discourse/spec/requests/invites_controller_spec.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

1525 lines
55 KiB
Ruby
Raw Normal View History

# frozen_string_literal: true
RSpec.describe InvitesController do
fab!(:admin) { Fabricate(:admin) }
fab!(:user) { Fabricate(:user, trust_level: SiteSetting.min_trust_level_to_allow_invite) }
describe "#show" do
fab!(:invite) { Fabricate(:invite) }
it "shows the accept invite page" do
get "/invites/#{invite.invite_key}"
expect(response.status).to eq(200)
expect(response.body).to have_tag(:script, with: { src: "/assets/discourse.js" })
expect(response.body).not_to include(invite.email)
expect(response.body).to_not include(
I18n.t(
"invite.not_found_template",
site_name: SiteSetting.title,
base_url: Discourse.base_url,
),
)
expect(response.body).to have_tag("div#data-preloaded") do |element|
json = JSON.parse(element.current_scope.attribute("data-preloaded").value)
invite_info = JSON.parse(json["invite_info"])
expect(invite_info["username"]).to eq("")
expect(invite_info["email"]).to eq("i*****g@a***********e.ooo")
end
end
context "when email data is present in authentication data" do
let(:store) { ActionDispatch::Session::CookieStore.new({}) }
let(:session_stub) do
ActionDispatch::Request::Session.create(store, ActionDispatch::TestRequest.create, {})
end
before do
session_stub[:authentication] = { email: invite.email }
ActionDispatch::Request.any_instance.stubs(:session).returns(session_stub)
end
it "shows unobfuscated email" do
get "/invites/#{invite.invite_key}"
expect(response.status).to eq(200)
expect(response.body).to have_tag(:script, with: { src: "/assets/discourse.js" })
expect(response.body).to include(invite.email)
expect(response.body).not_to include("i*****g@a***********e.ooo")
end
end
it "shows default user fields" do
user_field = Fabricate(:user_field)
staged_user = Fabricate(:user, staged: true, email: invite.email)
staged_user.set_user_field(user_field.id, "some value")
staged_user.save_custom_fields
get "/invites/#{invite.invite_key}"
expect(response.body).to have_tag("div#data-preloaded") do |element|
json = JSON.parse(element.current_scope.attribute("data-preloaded").value)
invite_info = JSON.parse(json["invite_info"])
expect(invite_info["username"]).to eq(staged_user.username)
expect(invite_info["user_fields"][user_field.id.to_s]).to eq("some value")
end
end
it "includes token validity boolean" do
get "/invites/#{invite.invite_key}"
expect(response.body).to have_tag("div#data-preloaded") do |element|
json = JSON.parse(element.current_scope.attribute("data-preloaded").value)
invite_info = JSON.parse(json["invite_info"])
expect(invite_info["email_verified_by_link"]).to eq(false)
end
get "/invites/#{invite.invite_key}?t=#{invite.email_token}"
expect(response.body).to have_tag("div#data-preloaded") do |element|
json = JSON.parse(element.current_scope.attribute("data-preloaded").value)
invite_info = JSON.parse(json["invite_info"])
expect(invite_info["email_verified_by_link"]).to eq(true)
end
end
describe "logged in user viewing an invite" do
fab!(:group) { Fabricate(:group) }
before { sign_in(user) }
it "shows the accept invite page when user's email matches the invite email" do
invite.update_columns(email: user.email)
get "/invites/#{invite.invite_key}"
expect(response.status).to eq(200)
expect(response.body).to have_tag(:script, with: { src: "/assets/discourse.js" })
expect(response.body).not_to include(
I18n.t(
"invite.not_found_template",
site_name: SiteSetting.title,
base_url: Discourse.base_url,
),
)
expect(response.body).to have_tag("div#data-preloaded") do |element|
json = JSON.parse(element.current_scope.attribute("data-preloaded").value)
invite_info = JSON.parse(json["invite_info"])
expect(invite_info["username"]).to eq(user.username)
expect(invite_info["email"]).to eq(user.email)
expect(invite_info["existing_user_id"]).to eq(user.id)
expect(invite_info["existing_user_can_redeem"]).to eq(true)
end
end
it "shows the accept invite page when user's email domain matches the domain an invite link is restricted to" do
invite.update!(email: nil, domain: "discourse.org")
user.update!(email: "someguy@discourse.org")
get "/invites/#{invite.invite_key}"
expect(response.status).to eq(200)
expect(response.body).to have_tag(:script, with: { src: "/assets/discourse.js" })
expect(response.body).not_to include(
I18n.t(
"invite.not_found_template",
site_name: SiteSetting.title,
base_url: Discourse.base_url,
),
)
expect(response.body).to have_tag("div#data-preloaded") do |element|
json = JSON.parse(element.current_scope.attribute("data-preloaded").value)
invite_info = JSON.parse(json["invite_info"])
expect(invite_info["username"]).to eq(user.username)
expect(invite_info["email"]).to eq(user.email)
expect(invite_info["existing_user_id"]).to eq(user.id)
expect(invite_info["existing_user_can_redeem"]).to eq(true)
end
end
it "does not allow the user to accept the invite when their email domain does not match the domain of the invite" do
user.update!(email: "someguy@discourse.com")
invite.update!(email: nil, domain: "discourse.org")
get "/invites/#{invite.invite_key}"
expect(response.status).to eq(200)
expect(response.body).to have_tag("div#data-preloaded") do |element|
json = JSON.parse(element.current_scope.attribute("data-preloaded").value)
invite_info = JSON.parse(json["invite_info"])
expect(invite_info["existing_user_can_redeem"]).to eq(false)
expect(invite_info["existing_user_can_redeem_error"]).to eq(
I18n.t("invite.existing_user_cannot_redeem"),
)
end
end
it "does not allow the user to accept the invite when their email does not match the invite" do
invite.update_columns(email: "notuseremail@discourse.org")
get "/invites/#{invite.invite_key}"
expect(response.status).to eq(200)
expect(response.body).to have_tag("div#data-preloaded") do |element|
json = JSON.parse(element.current_scope.attribute("data-preloaded").value)
invite_info = JSON.parse(json["invite_info"])
expect(invite_info["existing_user_can_redeem"]).to eq(false)
end
end
it "does not allow the user to accept the invite when a multi-use invite link has already been redeemed by the user" do
invite.update!(email: nil, max_redemptions_allowed: 10)
expect(invite.redeem(redeeming_user: user)).not_to eq(nil)
get "/invites/#{invite.invite_key}"
expect(response.status).to eq(200)
expect(response.body).to have_tag("div#data-preloaded") do |element|
json = JSON.parse(element.current_scope.attribute("data-preloaded").value)
invite_info = JSON.parse(json["invite_info"])
expect(invite_info["existing_user_id"]).to eq(user.id)
expect(invite_info["existing_user_can_redeem"]).to eq(false)
expect(invite_info["existing_user_can_redeem_error"]).to eq(
I18n.t("invite.existing_user_already_redemeed"),
)
end
end
it "allows the user to accept the invite when its an invite link that they have not redeemed" do
invite.update!(email: nil, max_redemptions_allowed: 10)
get "/invites/#{invite.invite_key}"
expect(response.status).to eq(200)
expect(response.body).to have_tag("div#data-preloaded") do |element|
json = JSON.parse(element.current_scope.attribute("data-preloaded").value)
invite_info = JSON.parse(json["invite_info"])
expect(invite_info["existing_user_id"]).to eq(user.id)
expect(invite_info["existing_user_can_redeem"]).to eq(true)
end
end
end
it "fails if invite does not exist" do
get "/invites/missing"
expect(response.status).to eq(200)
expect(response.body).to_not have_tag(:script, with: { src: "/assets/application.js" })
expect(response.body).to include(I18n.t("invite.not_found", base_url: Discourse.base_url))
end
it "fails if invite expired" do
invite.update(expires_at: 1.day.ago)
get "/invites/#{invite.invite_key}"
expect(response.status).to eq(200)
expect(response.body).to_not have_tag(:script, with: { src: "/assets/application.js" })
expect(response.body).to include(I18n.t("invite.expired", base_url: Discourse.base_url))
end
it "stores the invite key in the secure session if invite exists" do
FEATURE: Allow using invites when DiscourseConnect SSO is enabled (#12419) This PR allows invitations to be used when the DiscourseConnect SSO is enabled for a site (`enable_discourse_connect`) and local logins are disabled. Previously invites could not be accepted with SSO enabled simply because we did not have the code paths to handle that logic. The invitation methods that are supported include: * Inviting people to groups via email address * Inviting people to topics via email address * Using invitation links generated by the Invite Users UI in the /my/invited/pending route The flow works like this: 1. User visits an invite URL 2. The normal invitation validations (redemptions/expiry) happen at that point 3. We store the invite key in a secure session 4. The user clicks "Accept Invitation and Continue" (see below) 5. The user is redirected to /session/sso then to the SSO provider URL then back to /session/sso_login 6. We retrieve the invite based on the invite key in secure session. We revalidate the invitation. We show an error to the user if it is not valid. An additional check here for invites with an email specified is to check the SSO email matches the invite email 7. If the invite is OK we create the user via the normal SSO methods 8. We redeem the invite and activate the user. We clear the invite key in secure session. 9. If the invite had a topic we redirect the user there, otherwise we redirect to / Note that we decided for SSO-based invites the `must_approve_users` site setting is ignored, because the invite is a form of pre-approval, and because regular non-staff users cannot send out email invites or generally invite to the forum in this case. Also deletes some group invite checks as per https://github.com/discourse/discourse/pull/12353
2021-03-19 08:20:10 +08:00
get "/invites/#{invite.invite_key}"
expect(response.status).to eq(200)
invite_key = read_secure_session["invite-key"]
FEATURE: Allow using invites when DiscourseConnect SSO is enabled (#12419) This PR allows invitations to be used when the DiscourseConnect SSO is enabled for a site (`enable_discourse_connect`) and local logins are disabled. Previously invites could not be accepted with SSO enabled simply because we did not have the code paths to handle that logic. The invitation methods that are supported include: * Inviting people to groups via email address * Inviting people to topics via email address * Using invitation links generated by the Invite Users UI in the /my/invited/pending route The flow works like this: 1. User visits an invite URL 2. The normal invitation validations (redemptions/expiry) happen at that point 3. We store the invite key in a secure session 4. The user clicks "Accept Invitation and Continue" (see below) 5. The user is redirected to /session/sso then to the SSO provider URL then back to /session/sso_login 6. We retrieve the invite based on the invite key in secure session. We revalidate the invitation. We show an error to the user if it is not valid. An additional check here for invites with an email specified is to check the SSO email matches the invite email 7. If the invite is OK we create the user via the normal SSO methods 8. We redeem the invite and activate the user. We clear the invite key in secure session. 9. If the invite had a topic we redirect the user there, otherwise we redirect to / Note that we decided for SSO-based invites the `must_approve_users` site setting is ignored, because the invite is a form of pre-approval, and because regular non-staff users cannot send out email invites or generally invite to the forum in this case. Also deletes some group invite checks as per https://github.com/discourse/discourse/pull/12353
2021-03-19 08:20:10 +08:00
expect(invite_key).to eq(invite.invite_key)
end
it "returns error if invite has already been redeemed" do
expect(invite.redeem).not_to eq(nil)
get "/invites/#{invite.invite_key}"
expect(response.status).to eq(200)
expect(response.body).to_not have_tag(:script, with: { src: "/assets/application.js" })
expect(response.body).to include(
I18n.t(
"invite.not_found_template",
site_name: SiteSetting.title,
base_url: Discourse.base_url,
),
)
invite.update!(email: nil) # convert to email invite
get "/invites/#{invite.invite_key}"
expect(response.status).to eq(200)
expect(response.body).to_not have_tag(:script, with: { src: "/assets/application.js" })
expect(response.body).to include(
I18n.t(
"invite.not_found_template_link",
site_name: SiteSetting.title,
base_url: Discourse.base_url,
),
)
end
end
describe "#create" do
it "requires to be logged in" do
post "/invites.json", params: { email: "test@example.com" }
expect(response.status).to eq(403)
end
context "while logged in" do
before { sign_in(user) }
it "fails if you cannot invite to the forum" do
sign_in(Fabricate(:user))
post "/invites.json", params: { email: "test@example.com" }
expect(response).to be_forbidden
end
end
context "with invite to topic" do
fab!(:topic) { Fabricate(:topic) }
it "works" do
sign_in(user)
post "/invites.json",
params: {
email: "test@example.com",
topic_id: topic.id,
invite_to_topic: true,
}
expect(response.status).to eq(200)
expect(Jobs::InviteEmail.jobs.first["args"].first["invite_to_topic"]).to be_truthy
end
it "fails when topic_id is invalid" do
sign_in(user)
post "/invites.json", params: { email: "test@example.com", topic_id: -9999 }
expect(response.status).to eq(400)
end
context "when topic is private" do
fab!(:group) { Fabricate(:group) }
fab!(:secured_category) do |category|
category = Fabricate(:category)
category.permissions = { group.name => :full }
category.save!
category
end
fab!(:topic) { Fabricate(:topic, category: secured_category) }
it "does not work and returns a list of required groups" do
sign_in(admin)
post "/invites.json", params: { email: "test@example.com", topic_id: topic.id }
expect(response.status).to eq(422)
expect(response.parsed_body["errors"]).to contain_exactly(
I18n.t("invite.requires_groups", groups: group.name),
)
end
it "does not work if user cannot edit groups" do
group.add(user)
sign_in(user)
post "/invites.json", params: { email: "test@example.com", topic_id: topic.id }
expect(response.status).to eq(403)
end
end
end
context "with invite to group" do
fab!(:group) { Fabricate(:group) }
it "works for admins" do
sign_in(admin)
post "/invites.json", params: { email: "test@example.com", group_ids: [group.id] }
expect(response.status).to eq(200)
expect(Invite.find_by(email: "test@example.com").invited_groups.count).to eq(1)
end
it "works for group owners" do
sign_in(user)
group.add_owner(user)
post "/invites.json", params: { email: "test@example.com", group_ids: [group.id] }
expect(response.status).to eq(200)
expect(Invite.find_by(email: "test@example.com").invited_groups.count).to eq(1)
end
it "works with multiple groups" do
sign_in(admin)
group2 = Fabricate(:group)
post "/invites.json",
params: {
email: "test@example.com",
group_names: "#{group.name},#{group2.name}",
}
expect(response.status).to eq(200)
expect(Invite.find_by(email: "test@example.com").invited_groups.count).to eq(2)
end
it "fails for group members" do
sign_in(user)
group.add(user)
post "/invites.json", params: { email: "test@example.com", group_ids: [group.id] }
expect(response.status).to eq(403)
end
it "fails for other users" do
sign_in(user)
post "/invites.json", params: { email: "test@example.com", group_ids: [group.id] }
expect(response.status).to eq(403)
end
it "fails to invite new user to a group-private topic" do
sign_in(user)
private_category = Fabricate(:private_category, group: group)
group_private_topic = Fabricate(:topic, category: private_category)
post "/invites.json",
params: {
email: "test@example.com",
topic_id: group_private_topic.id,
}
expect(response.status).to eq(403)
end
end
context "with email invite" do
subject(:create_invite) { post "/invites.json", params: params }
let(:params) { { email: email } }
let(:email) { "test@example.com" }
before { sign_in(user) }
context "when doing successive calls" do
let(:invite) { Invite.last }
it "creates invite once and updates it after" do
create_invite
expect(response).to have_http_status :ok
expect(Jobs::InviteEmail.jobs.size).to eq(1)
create_invite
expect(response).to have_http_status :ok
expect(response.parsed_body["id"]).to eq(invite.id)
end
end
context 'when "skip_email" parameter is provided' do
before { params[:skip_email] = true }
it "accepts the parameter" do
create_invite
expect(response).to have_http_status :ok
expect(Jobs::InviteEmail.jobs.size).to eq(0)
end
end
context "when validations fail" do
let(:email) { "test@mailinator.com" }
it "fails" do
create_invite
expect(response).to have_http_status :unprocessable_entity
expect(response.parsed_body["errors"]).to be_present
end
end
context "when providing an email belonging to an existing user" do
let(:email) { user.email }
before { SiteSetting.hide_email_address_taken = hide_email_address_taken }
context 'when "hide_email_address_taken" setting is disabled' do
let(:hide_email_address_taken) { false }
it "returns an error" do
create_invite
expect(response).to have_http_status :unprocessable_entity
expect(body).to match(/no need to invite/)
end
end
context 'when "hide_email_address_taken" setting is enabled' do
let(:hide_email_address_taken) { true }
it "doesnt inform the user" do
create_invite
expect(response).to have_http_status :unprocessable_entity
expect(body).to match(/There was a problem with your request./)
end
end
end
end
context "with link invite" do
it "works" do
sign_in(admin)
post "/invites.json"
expect(response.status).to eq(200)
expect(Invite.last.email).to eq(nil)
expect(Invite.last.invited_by).to eq(admin)
expect(Invite.last.max_redemptions_allowed).to eq(1)
end
it "fails if over invite_link_max_redemptions_limit" do
sign_in(admin)
post "/invites.json",
params: {
max_redemptions_allowed: SiteSetting.invite_link_max_redemptions_limit - 1,
}
expect(response.status).to eq(200)
post "/invites.json",
params: {
max_redemptions_allowed: SiteSetting.invite_link_max_redemptions_limit + 1,
}
expect(response.status).to eq(422)
end
it "fails if over invite_link_max_redemptions_limit_users" do
sign_in(user)
post "/invites.json",
params: {
max_redemptions_allowed: SiteSetting.invite_link_max_redemptions_limit_users - 1,
}
expect(response.status).to eq(200)
post "/invites.json",
params: {
max_redemptions_allowed: SiteSetting.invite_link_max_redemptions_limit_users + 1,
}
expect(response.status).to eq(422)
end
end
end
describe "#retrieve" do
it "requires to be logged in" do
get "/invites/retrieve.json", params: { email: "test@example.com" }
expect(response.status).to eq(403)
end
context "while logged in" do
before { sign_in(user) }
fab!(:invite) { Fabricate(:invite, invited_by: user, email: "test@example.com") }
it "raises an error when the email is missing" do
get "/invites/retrieve.json"
expect(response.status).to eq(400)
end
it "raises an error when the email cannot be found" do
get "/invites/retrieve.json", params: { email: "test2@example.com" }
expect(response.status).to eq(400)
end
it "can retrieve the invite" do
get "/invites/retrieve.json", params: { email: "test@example.com" }
expect(response.status).to eq(200)
end
end
end
describe "#update" do
fab!(:invite) { Fabricate(:invite, invited_by: admin, email: "test@example.com") }
it "requires to be logged in" do
put "/invites/#{invite.id}", params: { email: "test2@example.com" }
expect(response.status).to eq(400)
end
context "while logged in" do
before { sign_in(admin) }
it "resends invite email if updating email address" do
put "/invites/#{invite.id}", params: { email: "test2@example.com" }
expect(response.status).to eq(200)
expect(Jobs::InviteEmail.jobs.size).to eq(1)
end
it "does not resend invite email if skip_email if updating email address" do
put "/invites/#{invite.id}", params: { email: "test2@example.com", skip_email: true }
expect(response.status).to eq(200)
expect(Jobs::InviteEmail.jobs.size).to eq(0)
end
it "does not resend invite email when updating other fields" do
put "/invites/#{invite.id}", params: { custom_message: "new message" }
expect(response.status).to eq(200)
expect(invite.reload.custom_message).to eq("new message")
expect(Jobs::InviteEmail.jobs.size).to eq(0)
end
it "cannot create duplicated invites" do
Fabricate(:invite, invited_by: admin, email: "test2@example.com")
put "/invites/#{invite.id}.json", params: { email: "test2@example.com" }
expect(response.status).to eq(409)
end
describe "rate limiting" do
before { RateLimiter.enable }
use_redis_snapshotting
it "can send invite email" do
sign_in(user)
invite = Fabricate(:invite, invited_by: user, email: "test@example.com")
expect { put "/invites/#{invite.id}", params: { send_email: true } }.to change {
RateLimiter.new(user, "resend-invite-per-hour", 10, 1.hour).remaining
}.by(-1)
expect(response.status).to eq(200)
expect(Jobs::InviteEmail.jobs.size).to eq(1)
end
end
context "when providing an email belonging to an existing user" do
subject(:update_invite) { put "/invites/#{invite.id}.json", params: { email: admin.email } }
before { SiteSetting.hide_email_address_taken = hide_email_address_taken }
context "when 'hide_email_address_taken' setting is disabled" do
let(:hide_email_address_taken) { false }
it "returns an error" do
update_invite
expect(response).to have_http_status :unprocessable_entity
expect(body).to match(/no need to invite/)
end
end
context "when 'hide_email_address_taken' setting is enabled" do
let(:hide_email_address_taken) { true }
it "doesn't inform the user" do
update_invite
expect(response).to have_http_status :unprocessable_entity
expect(body).to match(/There was a problem with your request./)
end
end
end
end
end
describe "#destroy" do
it "requires to be logged in" do
delete "/invites.json", params: { email: "test@example.com" }
expect(response.status).to eq(403)
end
context "while logged in" do
fab!(:invite) { Fabricate(:invite, invited_by: user) }
before { sign_in(user) }
it "raises an error when id is missing" do
delete "/invites.json"
expect(response.status).to eq(400)
end
it "raises an error when invite does not exist" do
delete "/invites.json", params: { id: 848 }
expect(response.status).to eq(400)
end
it "raises an error when invite is not created by user" do
another_invite = Fabricate(:invite, email: "test2@example.com")
delete "/invites.json", params: { id: another_invite.id }
expect(response.status).to eq(400)
end
it "destroys the invite" do
delete "/invites.json", params: { id: invite.id }
expect(response.status).to eq(200)
expect(invite.reload.trashed?).to be_truthy
end
end
end
describe "#perform_accept_invitation" do
context "with an invalid invite" do
it "redirects to the root" do
put "/invites/show/doesntexist.json"
expect(response.status).to eq(404)
expect(response.parsed_body["message"]).to eq(I18n.t("invite.not_found_json"))
expect(session[:current_user_id]).to be_blank
end
end
context "with a deleted invite" do
fab!(:invite) { Fabricate(:invite) }
before { invite.trash! }
it "redirects to the root" do
put "/invites/show/#{invite.invite_key}.json"
expect(response.status).to eq(404)
expect(response.parsed_body["message"]).to eq(I18n.t("invite.not_found_json"))
expect(session[:current_user_id]).to be_blank
end
end
context "with an expired invite" do
fab!(:invite) { Fabricate(:invite, expires_at: 1.day.ago) }
it "response is not successful" do
put "/invites/show/#{invite.invite_key}.json"
expect(response.status).to eq(404)
expect(response.parsed_body["message"]).to eq(I18n.t("invite.not_found_json"))
expect(session[:current_user_id]).to be_blank
end
end
context "with an email invite" do
let(:topic) { Fabricate(:topic) }
let(:invite) { Invite.generate(topic.user, email: "iceking@adventuretime.ooo", topic: topic) }
it "redeems the invite" do
put "/invites/show/#{invite.invite_key}.json"
expect(invite.reload.redeemed?).to be_truthy
end
it "logs in the user" do
events =
DiscourseEvent.track_events do
put "/invites/show/#{invite.invite_key}.json",
params: {
email_token: invite.email_token,
}
end
expect(events.map { |event| event[:event_name] }).to include(
:user_logged_in,
:user_first_logged_in,
)
expect(response.status).to eq(200)
expect(session[:current_user_id]).to eq(invite.invited_users.first.user_id)
expect(invite.reload.redeemed?).to be_truthy
user = User.find(invite.invited_users.first.user_id)
expect(user.ip_address).to be_present
expect(user.registration_ip_address).to be_present
end
it "redirects to the first topic the user was invited to" do
put "/invites/show/#{invite.invite_key}.json", params: { email_token: invite.email_token }
expect(response.status).to eq(200)
expect(response.parsed_body["redirect_to"]).to eq(topic.relative_url)
expect(
Notification.where(
notification_type: Notification.types[:invited_to_topic],
topic: topic,
).count,
).to eq(1)
end
it "sets the timezone of the user in user_options" do
put "/invites/show/#{invite.invite_key}.json", params: { timezone: "Australia/Melbourne" }
expect(response.status).to eq(200)
invite.reload
user = User.find(invite.invited_users.first.user_id)
expect(user.user_option.timezone).to eq("Australia/Melbourne")
end
it "does not log in the user if there are validation errors" do
put "/invites/show/#{invite.invite_key}.json", params: { password: "password" }
expect(response.status).to eq(412)
expect(session[:current_user_id]).to eq(nil)
end
it "does not log in the user if they were not approved" do
SiteSetting.must_approve_users = true
put "/invites/show/#{invite.invite_key}.json",
params: {
password: SecureRandom.hex,
email_token: invite.email_token,
}
expect(session[:current_user_id]).to eq(nil)
expect(response.parsed_body["message"]).to eq(I18n.t("activation.approval_required"))
end
it "does not log in the user if they were not activated" do
put "/invites/show/#{invite.invite_key}.json", params: { password: SecureRandom.hex }
expect(session[:current_user_id]).to eq(nil)
expect(response.parsed_body["message"]).to eq(I18n.t("invite.confirm_email"))
end
it "fails when local login is disabled and no external auth is configured" do
SiteSetting.enable_local_logins = false
put "/invites/show/#{invite.invite_key}.json"
expect(response.status).to eq(404)
end
context "with OmniAuth provider" do
fab!(:authenticated_email) { "test@example.com" }
before do
OmniAuth.config.test_mode = true
OmniAuth.config.mock_auth[:google_oauth2] = OmniAuth::AuthHash.new(
provider: "google_oauth2",
uid: "12345",
info: OmniAuth::AuthHash::InfoHash.new(email: authenticated_email, name: "First Last"),
extra: {
raw_info:
OmniAuth::AuthHash.new(
email_verified: true,
email: authenticated_email,
family_name: "Last",
given_name: "First",
gender: "male",
name: "First Last",
),
},
)
Rails.application.env_config["omniauth.auth"] = OmniAuth.config.mock_auth[:google_oauth2]
SiteSetting.enable_google_oauth2_logins = true
get "/auth/google_oauth2/callback.json"
expect(response.status).to eq(302)
end
after do
Rails.application.env_config["omniauth.auth"] = OmniAuth.config.mock_auth[
:google_oauth2
] = nil
OmniAuth.config.test_mode = false
end
it "should associate the invited user with authenticator records" do
SiteSetting.auth_overrides_name = true
invite.update!(email: authenticated_email)
expect {
put "/invites/show/#{invite.invite_key}.json", params: { name: "somename" }
}.to change { User.with_email(authenticated_email).exists? }.to(true)
expect(response.status).to eq(200)
user = User.find_by_email(authenticated_email)
expect(user.name).to eq("First Last")
expect(user.user_associated_accounts.first.provider_name).to eq("google_oauth2")
end
it "returns the right response even if local logins has been disabled" do
SiteSetting.enable_local_logins = false
invite.update!(email: authenticated_email)
put "/invites/show/#{invite.invite_key}.json"
expect(response.status).to eq(200)
end
it "returns the right response if authenticated email does not match invite email" do
put "/invites/show/#{invite.invite_key}.json"
expect(response.status).to eq(412)
end
end
describe ".post_process_invite" do
it "sends a welcome message if set" do
SiteSetting.send_welcome_message = true
user.send_welcome_message = true
put "/invites/show/#{invite.invite_key}.json"
expect(response.status).to eq(200)
expect(Jobs::SendSystemMessage.jobs.size).to eq(1)
end
it "refreshes automatic groups if staff" do
topic.user.grant_admin!
invite.update!(moderator: true)
put "/invites/show/#{invite.invite_key}.json"
expect(response.status).to eq(200)
expect(invite.invited_users.first.user.groups.pluck(:name)).to contain_exactly(
"moderators",
"staff",
)
end
context "without password" do
it "sends password reset email" do
put "/invites/show/#{invite.invite_key}.json"
expect(response.status).to eq(200)
expect(Jobs::InvitePasswordInstructionsEmail.jobs.size).to eq(1)
expect(Jobs::CriticalUserEmail.jobs.size).to eq(0)
end
end
context "with password" do
context "when user was invited via email" do
before { invite.update_column(:emailed_status, Invite.emailed_status_types[:pending]) }
it "does not send an activation email and activates the user" do
expect do
put "/invites/show/#{invite.invite_key}.json",
params: {
password: "verystrongpassword",
email_token: invite.email_token,
}
end.to change { UserAuthToken.count }.by(1)
expect(response.status).to eq(200)
expect(Jobs::InvitePasswordInstructionsEmail.jobs.size).to eq(0)
expect(Jobs::CriticalUserEmail.jobs.size).to eq(0)
invited_user = User.find_by_email(invite.email)
expect(invited_user.active).to eq(true)
expect(invited_user.email_confirmed?).to eq(true)
end
it "does not activate user if email token is missing" do
expect do
put "/invites/show/#{invite.invite_key}.json",
params: {
password: "verystrongpassword",
}
end.not_to change { UserAuthToken.count }
expect(response.status).to eq(200)
expect(Jobs::InvitePasswordInstructionsEmail.jobs.size).to eq(0)
expect(Jobs::CriticalUserEmail.jobs.size).to eq(1)
invited_user = User.find_by_email(invite.email)
expect(invited_user.active).to eq(false)
expect(invited_user.email_confirmed?).to eq(false)
end
end
context "when user was invited via link" do
before do
invite.update_column(:emailed_status, Invite.emailed_status_types[:not_required])
end
it "sends an activation email and does not activate the user" do
expect do
put "/invites/show/#{invite.invite_key}.json",
params: {
password: "verystrongpassword",
}
end.not_to change { UserAuthToken.count }
expect(response.status).to eq(200)
expect(response.parsed_body["message"]).to eq(I18n.t("invite.confirm_email"))
invited_user = User.find_by_email(invite.email)
expect(invited_user.active).to eq(false)
expect(invited_user.email_confirmed?).to eq(false)
expect(Jobs::InvitePasswordInstructionsEmail.jobs.size).to eq(0)
expect(Jobs::CriticalUserEmail.jobs.size).to eq(1)
tokens = EmailToken.where(user_id: invited_user.id, confirmed: false, expired: false)
expect(tokens.size).to eq(1)
job_args = Jobs::CriticalUserEmail.jobs.first["args"].first
expect(job_args["type"]).to eq("signup")
expect(job_args["user_id"]).to eq(invited_user.id)
expect(EmailToken.hash_token(job_args["email_token"])).to eq(tokens.first.token_hash)
end
end
end
end
end
context "with a domain invite" do
fab!(:invite) do
Fabricate(
:invite,
email: nil,
emailed_status: Invite.emailed_status_types[:not_required],
domain: "example.com",
)
end
it "creates an user if email matches domain" do
expect {
put "/invites/show/#{invite.invite_key}.json",
params: {
email: "test@example.com",
password: "verystrongpassword",
}
}.to change { User.count }
expect(response.status).to eq(200)
expect(response.parsed_body["message"]).to eq(I18n.t("invite.confirm_email"))
expect(invite.reload.redemption_count).to eq(1)
invited_user = User.find_by_email("test@example.com")
expect(invited_user).to be_present
end
it "does not create an user if email does not match domain" do
expect {
put "/invites/show/#{invite.invite_key}.json",
params: {
email: "test@example2.com",
password: "verystrongpassword",
}
}.not_to change { User.count }
expect(response.status).to eq(412)
expect(response.parsed_body["message"]).to eq(I18n.t("invite.domain_not_allowed"))
expect(invite.reload.redemption_count).to eq(0)
end
end
context "with an invite link" do
fab!(:invite) do
Fabricate(:invite, email: nil, emailed_status: Invite.emailed_status_types[:not_required])
end
it "does not create multiple users for a single use invite" do
user_count = User.count
2
.times
.map do
Thread.new do
put "/invites/show/#{invite.invite_key}.json",
params: {
email: "test@example.com",
password: "verystrongpassword",
}
end
end
.each(&:join)
expect(invite.reload.max_redemptions_allowed).to eq(1)
expect(invite.reload.redemption_count).to eq(1)
expect(User.count).to eq(user_count + 1)
end
it "sends an activation email and does not activate the user" do
expect {
put "/invites/show/#{invite.invite_key}.json",
params: {
email: "test@example.com",
password: "verystrongpassword",
}
}.not_to change { UserAuthToken.count }
expect(response.status).to eq(200)
expect(response.parsed_body["message"]).to eq(I18n.t("invite.confirm_email"))
expect(invite.reload.redemption_count).to eq(1)
invited_user = User.find_by_email("test@example.com")
expect(invited_user.active).to eq(false)
expect(invited_user.email_confirmed?).to eq(false)
expect(Jobs::InvitePasswordInstructionsEmail.jobs.size).to eq(0)
expect(Jobs::CriticalUserEmail.jobs.size).to eq(1)
tokens = EmailToken.where(user_id: invited_user.id, confirmed: false, expired: false)
expect(tokens.size).to eq(1)
job_args = Jobs::CriticalUserEmail.jobs.first["args"].first
expect(job_args["type"]).to eq("signup")
expect(job_args["user_id"]).to eq(invited_user.id)
expect(EmailToken.hash_token(job_args["email_token"])).to eq(tokens.first.token_hash)
end
it "does not automatically log in the user if their email matches an existing user's and shows an error" do
Fabricate(:user, email: "test@example.com")
put "/invites/show/#{invite.invite_key}.json",
params: {
email: "test@example.com",
password: "verystrongpassword",
}
expect(session[:current_user_id]).to be_blank
expect(response.status).to eq(412)
expect(response.parsed_body["message"]).to include("Primary email has already been taken")
expect(invite.reload.redemption_count).to eq(0)
end
it "does not automatically log in the user if their email matches an existing admin's and shows an error" do
Fabricate(:admin, email: "test@example.com")
put "/invites/show/#{invite.invite_key}.json",
params: {
email: "test@example.com",
password: "verystrongpassword",
}
expect(session[:current_user_id]).to be_blank
expect(response.status).to eq(412)
expect(response.parsed_body["message"]).to include("Primary email has already been taken")
expect(invite.reload.redemption_count).to eq(0)
end
end
context "when new registrations are disabled" do
fab!(:topic) { Fabricate(:topic) }
fab!(:invite) { Invite.generate(topic.user, email: "test@example.com", topic: topic) }
before { SiteSetting.allow_new_registrations = false }
it "does not redeem the invite" do
put "/invites/show/#{invite.invite_key}.json"
expect(response.status).to eq(200)
expect(invite.reload.invited_users).to be_blank
expect(invite.redeemed?).to be_falsey
expect(response.body).to include(I18n.t("login.new_registrations_disabled"))
end
end
context "when user is already logged in" do
before { sign_in(user) }
context "for an email invite" do
fab!(:invite) { Fabricate(:invite, email: "test@example.com") }
fab!(:user) { Fabricate(:user, email: "test@example.com") }
fab!(:group) { Fabricate(:group) }
it "redeems the invitation and creates the invite accepted notification" do
put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key }
expect(response.status).to eq(200)
expect(response.parsed_body["message"]).to eq(I18n.t("invite.existing_user_success"))
invite.reload
expect(invite.invited_users.first.user).to eq(user)
expect(invite.redeemed?).to be_truthy
expect(
Notification.exists?(
user: invite.invited_by,
notification_type: Notification.types[:invitee_accepted],
),
).to eq(true)
end
it "redirects to the first topic the user was invited to and creates the topic notification" do
topic = Fabricate(:topic)
TopicInvite.create!(invite: invite, topic: topic)
put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key }
expect(response.status).to eq(200)
expect(response.parsed_body["redirect_to"]).to eq(topic.relative_url)
expect(
Notification.where(
notification_type: Notification.types[:invited_to_topic],
topic: topic,
).count,
).to eq(1)
end
it "adds the user to the private topic" do
topic = Fabricate(:private_message_topic)
TopicInvite.create!(invite: invite, topic: topic)
put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key }
expect(response.status).to eq(200)
expect(response.parsed_body["redirect_to"]).to eq(topic.relative_url)
expect(TopicAllowedUser.exists?(user: user, topic: topic)).to eq(true)
end
it "adds the user to the groups specified on the invite and allows them to access the secure topic" do
group.add_owner(invite.invited_by)
secured_category = Fabricate(:category)
secured_category.permissions = { group.name => :full }
secured_category.save!
topic = Fabricate(:topic, category: secured_category)
TopicInvite.create!(invite: invite, topic: topic)
InvitedGroup.create!(invite: invite, group: group)
put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key }
expect(response.status).to eq(200)
expect(response.parsed_body["message"]).to eq(I18n.t("invite.existing_user_success"))
expect(response.parsed_body["redirect_to"]).to eq(topic.relative_url)
invite.reload
expect(invite.redeemed?).to be_truthy
expect(user.reload.groups).to include(group)
expect(
Notification.where(
notification_type: Notification.types[:invited_to_topic],
topic: topic,
).count,
).to eq(1)
end
it "does not try to log in the user automatically" do
expect do
put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key }
end.not_to change { UserAuthToken.count }
expect(response.status).to eq(200)
expect(response.parsed_body["message"]).to eq(I18n.t("invite.existing_user_success"))
end
it "errors if the user's email doesn't match the invite email" do
user.update!(email: "blah@test.com")
put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key }
expect(response.status).to eq(412)
expect(response.parsed_body["message"]).to eq(I18n.t("invite.not_matching_email"))
end
it "errors if the user's email domain doesn't match the invite domain" do
user.update!(email: "blah@test.com")
invite.update!(email: nil, domain: "example.com")
put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key }
expect(response.status).to eq(412)
expect(response.parsed_body["message"]).to eq(I18n.t("invite.domain_not_allowed"))
end
end
context "for an invite link" do
fab!(:invite) { Fabricate(:invite, email: nil) }
fab!(:user) { Fabricate(:user, email: "test@example.com") }
fab!(:group) { Fabricate(:group) }
it "redeems the invitation and creates the invite accepted notification" do
put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key }
expect(response.status).to eq(200)
expect(response.parsed_body["message"]).to eq(I18n.t("invite.existing_user_success"))
invite.reload
expect(invite.invited_users.first.user).to eq(user)
expect(invite.redeemed?).to be_truthy
expect(
Notification.exists?(
user: invite.invited_by,
notification_type: Notification.types[:invitee_accepted],
),
).to eq(true)
end
it "redirects to the first topic the user was invited to and creates the topic notification" do
topic = Fabricate(:topic)
TopicInvite.create!(invite: invite, topic: topic)
put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key }
expect(response.status).to eq(200)
expect(response.parsed_body["redirect_to"]).to eq(topic.relative_url)
expect(
Notification.where(
notification_type: Notification.types[:invited_to_topic],
topic: topic,
).count,
).to eq(1)
end
it "adds the user to the groups specified on the invite and allows them to access the secure topic" do
group.add_owner(invite.invited_by)
secured_category = Fabricate(:category)
secured_category.permissions = { group.name => :full }
secured_category.save!
topic = Fabricate(:topic, category: secured_category)
TopicInvite.create!(invite: invite, topic: topic)
InvitedGroup.create!(invite: invite, group: group)
put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key }
expect(response.status).to eq(200)
expect(response.parsed_body["message"]).to eq(I18n.t("invite.existing_user_success"))
expect(response.parsed_body["redirect_to"]).to eq(topic.relative_url)
invite.reload
expect(invite.redeemed?).to be_truthy
expect(user.reload.groups).to include(group)
expect(
Notification.where(
notification_type: Notification.types[:invited_to_topic],
topic: topic,
).count,
).to eq(1)
end
it "does not try to log in the user automatically" do
expect do
put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key }
end.not_to change { UserAuthToken.count }
expect(response.status).to eq(200)
expect(response.parsed_body["message"]).to eq(I18n.t("invite.existing_user_success"))
end
end
end
context "with topic invites" do
fab!(:invite) { Fabricate(:invite, email: "test@example.com") }
fab!(:secured_category) do
secured_category = Fabricate(:category)
secured_category.permissions = { staff: :full }
secured_category.save!
secured_category
end
it "redirects user to topic if activated" do
topic = Fabricate(:topic)
TopicInvite.create!(invite: invite, topic: topic)
put "/invites/show/#{invite.invite_key}.json", params: { email_token: invite.email_token }
expect(response.parsed_body["redirect_to"]).to eq(topic.relative_url)
expect(
Notification.where(
notification_type: Notification.types[:invited_to_topic],
topic: topic,
).count,
).to eq(1)
end
it "sets destination_url cookie if user is not activated" do
topic = Fabricate(:topic)
TopicInvite.create!(invite: invite, topic: topic)
put "/invites/show/#{invite.invite_key}.json"
expect(cookies["destination_url"]).to eq(topic.relative_url)
expect(
Notification.where(
notification_type: Notification.types[:invited_to_topic],
topic: topic,
).count,
).to eq(1)
end
it "does not redirect user if they cannot see topic" do
topic = Fabricate(:topic, category: secured_category)
TopicInvite.create!(invite: invite, topic: topic)
put "/invites/show/#{invite.invite_key}.json", params: { email_token: invite.email_token }
expect(response.parsed_body["redirect_to"]).to eq("/")
expect(
Notification.where(
notification_type: Notification.types[:invited_to_topic],
topic: topic,
).count,
).to eq(0)
end
end
context "with staged user" do
fab!(:invite) { Fabricate(:invite) }
fab!(:staged_user) { Fabricate(:user, staged: true, email: invite.email) }
it "can keep the old username" do
old_username = staged_user.username
put "/invites/show/#{invite.invite_key}.json",
params: {
username: staged_user.username,
password: "Password123456",
email_token: invite.email_token,
}
expect(response.status).to eq(200)
expect(invite.reload.redeemed?).to be_truthy
user = invite.invited_users.first.user
expect(user.username).to eq(old_username)
end
it "can change the username" do
put "/invites/show/#{invite.invite_key}.json",
params: {
username: "new_username",
password: "Password123456",
email_token: invite.email_token,
}
expect(response.status).to eq(200)
expect(invite.reload.redeemed?).to be_truthy
user = invite.invited_users.first.user
expect(user.username).to eq("new_username")
end
end
end
describe "#destroy_all_expired" do
it "removes all expired invites sent by a user" do
SiteSetting.invite_expiry_days = 1
user = Fabricate(:admin)
invite_1 = Fabricate(:invite, invited_by: user)
invite_2 = Fabricate(:invite, invited_by: user)
expired_invite = Fabricate(:invite, invited_by: user)
expired_invite.update!(expires_at: 2.days.ago)
sign_in(user)
post "/invites/destroy-all-expired"
expect(response.status).to eq(200)
expect(invite_1.reload.deleted_at).to eq(nil)
expect(invite_2.reload.deleted_at).to eq(nil)
expect(expired_invite.reload.deleted_at).to be_present
end
end
describe "#resend_invite" do
it "requires to be logged in" do
post "/invites/reinvite.json", params: { email: "first_name@example.com" }
expect(response.status).to eq(403)
end
context "while logged in" do
fab!(:user) { sign_in(Fabricate(:user)) }
fab!(:invite) { Fabricate(:invite, invited_by: user) }
fab!(:another_invite) { Fabricate(:invite, email: "last_name@example.com") }
it "raises an error when the email is missing" do
post "/invites/reinvite.json"
expect(response.status).to eq(400)
end
it "raises an error when the email cannot be found" do
post "/invites/reinvite.json", params: { email: "first_name@example.com" }
expect(response.status).to eq(400)
end
it "raises an error when the invite is not yours" do
post "/invites/reinvite.json", params: { email: another_invite.email }
expect(response.status).to eq(400)
end
it "resends the invite" do
post "/invites/reinvite.json", params: { email: invite.email }
expect(response.status).to eq(200)
expect(Jobs::InviteEmail.jobs.size).to eq(1)
end
end
end
describe "#resend_all_invites" do
let(:admin) { Fabricate(:admin) }
before do
SiteSetting.invite_expiry_days = 30
RateLimiter.enable
end
use_redis_snapshotting
it "resends all non-redeemed invites by a user" do
freeze_time
new_invite = Fabricate(:invite, invited_by: admin)
expired_invite = Fabricate(:invite, invited_by: admin)
expired_invite.update!(expires_at: 2.days.ago)
redeemed_invite = Fabricate(:invite, invited_by: admin)
Fabricate(:invited_user, invite: redeemed_invite, user: Fabricate(:user))
redeemed_invite.update!(expires_at: 5.days.ago)
sign_in(admin)
post "/invites/reinvite-all"
expect(response.status).to eq(200)
expect(new_invite.reload.expires_at).to eq_time(30.days.from_now)
expect(expired_invite.reload.expires_at).to eq_time(2.days.ago)
expect(redeemed_invite.reload.expires_at).to eq_time(5.days.ago)
end
it "errors if admins try to exceed limit of one bulk invite per day" do
sign_in(admin)
start = Time.now
freeze_time(start)
post "/invites/reinvite-all"
expect(response.parsed_body["errors"]).to_not be_present
freeze_time(start + 10.minutes)
post "/invites/reinvite-all"
expect(response.parsed_body["errors"][0]).to eq(I18n.t("rate_limiter.slow_down"))
end
end
describe "#upload_csv" do
it "requires to be logged in" do
post "/invites/upload_csv.json"
expect(response.status).to eq(403)
end
context "while logged in" do
let(:csv_file) { File.new("#{Rails.root}/spec/fixtures/csv/discourse.csv") }
let(:file) { Rack::Test::UploadedFile.new(File.open(csv_file)) }
let(:csv_file_with_headers) do
File.new("#{Rails.root}/spec/fixtures/csv/discourse_headers.csv")
end
let(:file_with_headers) { Rack::Test::UploadedFile.new(File.open(csv_file_with_headers)) }
let(:csv_file_with_locales) do
File.new("#{Rails.root}/spec/fixtures/csv/invites_with_locales.csv")
end
let(:file_with_locales) { Rack::Test::UploadedFile.new(File.open(csv_file_with_locales)) }
it "fails if you cannot bulk invite to the forum" do
sign_in(Fabricate(:user))
post "/invites/upload_csv.json", params: { file: file, name: "discourse.csv" }
expect(response.status).to eq(403)
end
it "allows admin to bulk invite" do
sign_in(admin)
post "/invites/upload_csv.json", params: { file: file, name: "discourse.csv" }
expect(response.status).to eq(200)
expect(Jobs::BulkInvite.jobs.size).to eq(1)
end
2019-06-12 17:05:21 +08:00
it "allows admin to bulk invite when DiscourseConnect enabled" do
SiteSetting.discourse_connect_url = "https://example.com"
SiteSetting.enable_discourse_connect = true
sign_in(admin)
post "/invites/upload_csv.json", params: { file: file, name: "discourse.csv" }
expect(response.status).to eq(200)
expect(Jobs::BulkInvite.jobs.size).to eq(1)
end
it "sends limited invites at a time" do
2019-06-12 17:05:21 +08:00
SiteSetting.max_bulk_invites = 3
sign_in(admin)
post "/invites/upload_csv.json", params: { file: file, name: "discourse.csv" }
2019-06-12 17:05:21 +08:00
expect(response.status).to eq(422)
expect(Jobs::BulkInvite.jobs.size).to eq(1)
expect(response.parsed_body["errors"][0]).to eq(
I18n.t("bulk_invite.max_rows", max_bulk_invites: SiteSetting.max_bulk_invites),
)
2019-06-12 17:05:21 +08:00
end
it "can import user fields" do
Jobs.run_immediately!
user_field = Fabricate(:user_field, name: "location")
Fabricate(:group, name: "discourse")
Fabricate(:group, name: "ubuntu")
sign_in(admin)
post "/invites/upload_csv.json",
params: {
file: file_with_headers,
name: "discourse_headers.csv",
}
expect(response.status).to eq(200)
user = User.where(staged: true).find_by_email("test@example.com")
expect(user.user_fields[user_field.id.to_s]).to eq("usa")
user2 = User.where(staged: true).find_by_email("test2@example.com")
expect(user2.user_fields[user_field.id.to_s]).to eq("europe")
end
it "can pre-set user locales" do
Jobs.run_immediately!
sign_in(admin)
post "/invites/upload_csv.json",
params: {
file: file_with_locales,
name: "discourse_headers.csv",
}
expect(response.status).to eq(200)
user = User.where(staged: true).find_by_email("test@example.com")
expect(user.locale).to eq("de")
user2 = User.where(staged: true).find_by_email("test2@example.com")
expect(user2.locale).to eq("pl")
end
end
end
end