github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-26 01:13:38 +08:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

Check honeypot/challenge value on activation too

Browse Source
This commit is contained in:
Robin Ward 2014-07-15 14:07:19 -04:00
parent 3eb0afe29b
commit 4f416bf6ce
4 changed files with 37 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
app/controllers/users_controller.rb
View File

@ -283,6 +283,7 @@ class UsersController < ApplicationController
end
def perform_account_activation
raise Discourse::InvalidAccess.new if honeypot_or_challenge_fails?(params)
if @user = EmailToken.confirm(params[:token])
# Log in the user unless they need to be approved

1
app/views/layouts/no_js.html.erb
View File

@ -6,6 +6,7 @@
<meta name="description" content="">
<%= render partial: "layouts/head" %>
<%= raw SiteContent.content_for(:head) %>
<%= yield(:no_js_head) %>
</head>
<body>
<%- unless customization_disabled? %>

28
app/views/users/activate_account.html.erb
View File

@ -1,26 +1,40 @@
<div id='simple-container'>
<h2><%= t 'activation.welcome_to', site_name: SiteSetting.title %></h2>
<br/>
<button class='btn' id='activate-account-button'><%= t 'activation.action' %></button>
<%= form_tag(perform_activate_account_path, method: :put, id: 'activate-account-form') do %>
<%= hidden_field_tag 'password_confirmation' %>
<%= hidden_field_tag 'challenge' %>
<% end %>
</div>
<%- content_for(:no_js_head) do %>
<%= script "vendor" %>
<%- end %>
<script language="javascript">
(function() {
var t1 = new Date().getTime(),
button = document.getElementById('activate-account-button'),
form = document.getElementById('activate-account-form');
function activateAccount() {
$('#activate-account-button').prop('disabled', true);
$.ajax("/users/hp").then(function(hp) {
$('#password_confirmation').val(hp.value);
$('#challenge').val(hp.challenge.split("").reverse().join(""));
$('#activate-account-form').submit();
}).fail(function() {
$('#activate-account-button').prop('disabled', false);
console.log('test');
});
}
button.addEventListener('click', function() {
var diff = new Date().getTime() - t1;
var t0 = new Date().getTime();
$('#activate-account-button').on('click', function() {
var diff = new Date().getTime() - t0;
// Ensure the form has been visible for a few ms before allowing the
// user to submit.
if (diff > 50) {
form.submit();
activateAccount();
}
});
})();

20
spec/controllers/users_controller_spec.rb
View File

@ -2,11 +2,6 @@ require 'spec_helper'
describe UsersController do
before do
UsersController.any_instance.stubs(:honeypot_value).returns(nil)
UsersController.any_instance.stubs(:challenge_value).returns(nil)
end
describe '.show' do
let!(:user) { log_in }
@ -78,6 +73,10 @@ describe UsersController do
end
describe '.activate_account' do
before do
UsersController.any_instance.stubs(:honeypot_or_challenge_fails?).returns(false)
end
context 'invalid token' do
before do
EmailToken.expects(:confirm).with('asdfasdf').returns(nil)
@ -112,7 +111,14 @@ describe UsersController do
user.expects(:enqueue_welcome_message).with('welcome_user').never
put :perform_account_activation, token: 'asdfasdf'
end
end
context "honeypot" do
it "raises an error if the honeypot is invalid" do
UsersController.any_instance.stubs(:honeypot_or_challenge_fails?).returns(true)
put :perform_account_activation, token: 'asdfasdf'
response.should_not be_success
end
end
context 'response' do
@ -137,7 +143,6 @@ describe UsersController do
it "doesn't set @needs_approval" do
assigns[:needs_approval].should be_blank
end
end
context 'user is not approved' do
@ -268,7 +273,10 @@ describe UsersController do
end
describe '#create' do
before do
UsersController.any_instance.stubs(:honeypot_value).returns(nil)
UsersController.any_instance.stubs(:challenge_value).returns(nil)
SiteSetting.stubs(:allow_new_registrations).returns(true)
@user = Fabricate.build(:user)
@user.password = "strongpassword"