# frozen_string_literal: true RSpec.describe InvitesController do fab!(:admin) fab!(:user) { Fabricate(:user, trust_level: TrustLevel[2]) } describe "#show" do fab!(:invite) it "shows the accept invite page" do get "/invites/#{invite.invite_key}" expect(response.status).to eq(200) expect(response.body).to have_tag( :script, with: { "data-discourse-entrypoint" => "discourse", }, ) expect(response.body).not_to include(invite.email) expect(response.body).to_not include( I18n.t( "invite.not_found_template", site_name: SiteSetting.title, base_url: Discourse.base_url, ), ) expect(response.body).to have_tag("div#data-preloaded") do |element| json = JSON.parse(element.current_scope.attribute("data-preloaded").value) invite_info = JSON.parse(json["invite_info"]) expect(invite_info["username"]).to eq("") expect(invite_info["email"]).to eq("i*****g@a***********e.ooo") end end context "when email data is present in authentication data" do let(:store) { ActionDispatch::Session::CookieStore.new({}) } let(:session_stub) do ActionDispatch::Request::Session.create(store, ActionDispatch::TestRequest.create, {}) end before do session_stub[:authentication] = { email: invite.email } ActionDispatch::Request.any_instance.stubs(:session).returns(session_stub) end it "shows unobfuscated email" do get "/invites/#{invite.invite_key}" expect(response.status).to eq(200) expect(response.body).to_not have_tag(:body, with: { class: "no-ember" }) expect(response.body).to include(invite.email) expect(response.body).not_to include("i*****g@a***********e.ooo") end end it "shows default user fields" do user_field = Fabricate(:user_field) staged_user = Fabricate(:user, staged: true, email: invite.email) staged_user.set_user_field(user_field.id, "some value") staged_user.save_custom_fields get "/invites/#{invite.invite_key}" expect(response.body).to have_tag("div#data-preloaded") do |element| json = JSON.parse(element.current_scope.attribute("data-preloaded").value) invite_info = JSON.parse(json["invite_info"]) expect(invite_info["username"]).to eq(staged_user.username) expect(invite_info["user_fields"][user_field.id.to_s]).to eq("some value") end end it "includes token validity boolean" do get "/invites/#{invite.invite_key}" expect(response.body).to have_tag("div#data-preloaded") do |element| json = JSON.parse(element.current_scope.attribute("data-preloaded").value) invite_info = JSON.parse(json["invite_info"]) expect(invite_info["email_verified_by_link"]).to eq(false) end get "/invites/#{invite.invite_key}?t=#{invite.email_token}" expect(response.body).to have_tag("div#data-preloaded") do |element| json = JSON.parse(element.current_scope.attribute("data-preloaded").value) invite_info = JSON.parse(json["invite_info"]) expect(invite_info["email_verified_by_link"]).to eq(true) end end describe "logged in user viewing an invite" do fab!(:group) before { sign_in(user) } it "shows the accept invite page when user's email matches the invite email" do invite.update_columns(email: user.email) get "/invites/#{invite.invite_key}" expect(response.status).to eq(200) expect(response.body).to_not have_tag(:body, with: { class: "no-ember" }) expect(response.body).not_to include( I18n.t( "invite.not_found_template", site_name: SiteSetting.title, base_url: Discourse.base_url, ), ) expect(response.body).to have_tag("div#data-preloaded") do |element| json = JSON.parse(element.current_scope.attribute("data-preloaded").value) invite_info = JSON.parse(json["invite_info"]) expect(invite_info["username"]).to eq(user.username) expect(invite_info["email"]).to eq(user.email) expect(invite_info["existing_user_id"]).to eq(user.id) expect(invite_info["existing_user_can_redeem"]).to eq(true) end end it "shows the accept invite page when user's email domain matches the domain an invite link is restricted to" do invite.update!(email: nil, domain: "discourse.org") user.update!(email: "someguy@discourse.org") get "/invites/#{invite.invite_key}" expect(response.status).to eq(200) expect(response.body).to_not have_tag(:body, with: { class: "no-ember" }) expect(response.body).not_to include( I18n.t( "invite.not_found_template", site_name: SiteSetting.title, base_url: Discourse.base_url, ), ) expect(response.body).to have_tag("div#data-preloaded") do |element| json = JSON.parse(element.current_scope.attribute("data-preloaded").value) invite_info = JSON.parse(json["invite_info"]) expect(invite_info["username"]).to eq(user.username) expect(invite_info["email"]).to eq(user.email) expect(invite_info["existing_user_id"]).to eq(user.id) expect(invite_info["existing_user_can_redeem"]).to eq(true) end end it "does not allow the user to accept the invite when their email domain does not match the domain of the invite" do user.update!(email: "someguy@discourse.com") invite.update!(email: nil, domain: "discourse.org") get "/invites/#{invite.invite_key}" expect(response.status).to eq(200) expect(response.body).to have_tag("div#data-preloaded") do |element| json = JSON.parse(element.current_scope.attribute("data-preloaded").value) invite_info = JSON.parse(json["invite_info"]) expect(invite_info["existing_user_can_redeem"]).to eq(false) expect(invite_info["existing_user_can_redeem_error"]).to eq( I18n.t("invite.existing_user_cannot_redeem"), ) end end it "does not allow the user to accept the invite when their email does not match the invite" do invite.update_columns(email: "notuseremail@discourse.org") get "/invites/#{invite.invite_key}" expect(response.status).to eq(200) expect(response.body).to have_tag("div#data-preloaded") do |element| json = JSON.parse(element.current_scope.attribute("data-preloaded").value) invite_info = JSON.parse(json["invite_info"]) expect(invite_info["existing_user_can_redeem"]).to eq(false) end end it "does not allow the user to accept the invite when a multi-use invite link has already been redeemed by the user" do invite.update!(email: nil, max_redemptions_allowed: 10) expect(invite.redeem(redeeming_user: user)).not_to eq(nil) get "/invites/#{invite.invite_key}" expect(response.status).to eq(200) expect(response.body).to have_tag("div#data-preloaded") do |element| json = JSON.parse(element.current_scope.attribute("data-preloaded").value) invite_info = JSON.parse(json["invite_info"]) expect(invite_info["existing_user_id"]).to eq(user.id) expect(invite_info["existing_user_can_redeem"]).to eq(false) expect(invite_info["existing_user_can_redeem_error"]).to eq( I18n.t("invite.existing_user_already_redemeed"), ) end end it "allows the user to accept the invite when its an invite link that they have not redeemed" do invite.update!(email: nil, max_redemptions_allowed: 10) get "/invites/#{invite.invite_key}" expect(response.status).to eq(200) expect(response.body).to have_tag("div#data-preloaded") do |element| json = JSON.parse(element.current_scope.attribute("data-preloaded").value) invite_info = JSON.parse(json["invite_info"]) expect(invite_info["existing_user_id"]).to eq(user.id) expect(invite_info["existing_user_can_redeem"]).to eq(true) end end end it "fails if invite does not exist" do get "/invites/missing" expect(response.status).to eq(200) expect(response.body).to have_tag(:body, with: { class: "no-ember" }) expect(response.body).to include(I18n.t("invite.not_found", base_url: Discourse.base_url)) end it "fails if invite expired" do invite.update(expires_at: 1.day.ago) get "/invites/#{invite.invite_key}" expect(response.status).to eq(200) expect(response.body).to have_tag(:body, with: { class: "no-ember" }) expect(response.body).to include(I18n.t("invite.expired", base_url: Discourse.base_url)) end it "stores the invite key in the secure session if invite exists" do get "/invites/#{invite.invite_key}" expect(response.status).to eq(200) invite_key = read_secure_session["invite-key"] expect(invite_key).to eq(invite.invite_key) end it "returns error if invite has already been redeemed" do expect(invite.redeem).not_to eq(nil) get "/invites/#{invite.invite_key}" expect(response.status).to eq(200) expect(response.body).to have_tag(:body, with: { class: "no-ember" }) expect(response.body).to include( I18n.t( "invite.not_found_template", site_name: SiteSetting.title, base_url: Discourse.base_url, ), ) invite.update!(email: nil) # convert to email invite get "/invites/#{invite.invite_key}" expect(response.status).to eq(200) expect(response.body).to have_tag(:body, with: { class: "no-ember" }) expect(response.body).to include( I18n.t( "invite.not_found_template_link", site_name: SiteSetting.title, base_url: Discourse.base_url, ), ) end end describe "#create" do it "requires to be logged in" do post "/invites.json", params: { email: "test@example.com" } expect(response.status).to eq(403) end context "while logged in" do before { sign_in(user) } it "fails if you cannot invite to the forum" do sign_in(Fabricate(:user)) post "/invites.json", params: { email: "test@example.com" } expect(response).to be_forbidden end end context "with invite to topic" do fab!(:topic) it "works" do sign_in(user) post "/invites.json", params: { email: "test@example.com", topic_id: topic.id, invite_to_topic: true, } expect(response.status).to eq(200) expect(Jobs::InviteEmail.jobs.first["args"].first["invite_to_topic"]).to be_truthy end it "fails when topic_id is invalid" do sign_in(user) post "/invites.json", params: { email: "test@example.com", topic_id: -9999 } expect(response.status).to eq(400) end context "when topic is private" do fab!(:group) fab!(:secured_category) do category = Fabricate(:category) category.permissions = { group.name => :full } category.save! category end fab!(:topic) { Fabricate(:topic, category: secured_category) } it "does not work and returns a list of required groups" do sign_in(admin) post "/invites.json", params: { email: "test@example.com", topic_id: topic.id } expect(response.status).to eq(422) expect(response.parsed_body["errors"]).to contain_exactly( I18n.t("invite.requires_groups", groups: group.name), ) end it "does not work if user cannot edit groups" do group.add(user) sign_in(user) post "/invites.json", params: { email: "test@example.com", topic_id: topic.id } expect(response.status).to eq(403) end end end context "with invite to group" do fab!(:group) it "works for admins" do sign_in(admin) post "/invites.json", params: { email: "test@example.com", group_ids: [group.id] } expect(response.status).to eq(200) expect(Invite.find_by(email: "test@example.com").invited_groups.count).to eq(1) end it "works for group owners" do sign_in(user) group.add_owner(user) post "/invites.json", params: { email: "test@example.com", group_ids: [group.id] } expect(response.status).to eq(200) expect(Invite.find_by(email: "test@example.com").invited_groups.count).to eq(1) end it "works with multiple groups" do sign_in(admin) group2 = Fabricate(:group) post "/invites.json", params: { email: "test@example.com", group_names: "#{group.name},#{group2.name}", } expect(response.status).to eq(200) expect(Invite.find_by(email: "test@example.com").invited_groups.count).to eq(2) end it "fails for group members" do sign_in(user) group.add(user) post "/invites.json", params: { email: "test@example.com", group_ids: [group.id] } expect(response.status).to eq(403) end it "fails for other users" do sign_in(user) post "/invites.json", params: { email: "test@example.com", group_ids: [group.id] } expect(response.status).to eq(403) end it "fails to invite new user to a group-private topic" do sign_in(user) private_category = Fabricate(:private_category, group: group) group_private_topic = Fabricate(:topic, category: private_category) post "/invites.json", params: { email: "test@example.com", topic_id: group_private_topic.id, } expect(response.status).to eq(403) end end context "with email invite" do subject(:create_invite) { post "/invites.json", params: params } let(:params) { { email: email } } let(:email) { "test@example.com" } before { sign_in(user) } context "when doing successive calls" do let(:invite) { Invite.last } it "creates invite once and updates it after" do create_invite expect(response).to have_http_status :ok expect(Jobs::InviteEmail.jobs.size).to eq(1) create_invite expect(response).to have_http_status :ok expect(response.parsed_body["id"]).to eq(invite.id) end end context 'when "skip_email" parameter is provided' do before { params[:skip_email] = true } it "accepts the parameter" do create_invite expect(response).to have_http_status :ok expect(Jobs::InviteEmail.jobs.size).to eq(0) end end context "when validations fail" do let(:email) { "test@mailinator.com" } it "fails" do create_invite expect(response).to have_http_status :unprocessable_entity expect(response.parsed_body["errors"]).to be_present end end context "when email address is too long" do let(:email) { "a" * 495 + "@example.com" } it "fails" do create_invite expect(response).to have_http_status :unprocessable_entity expect(response.parsed_body["errors"]).to be_present error_message = response.parsed_body["errors"].first expect(error_message).to eq("Email is too long (maximum is 500 characters)") end end context "when providing an email belonging to an existing user" do let(:email) { user.email } before { SiteSetting.hide_email_address_taken = hide_email_address_taken } context 'when "hide_email_address_taken" setting is disabled' do let(:hide_email_address_taken) { false } it "returns an error" do create_invite expect(response).to have_http_status :unprocessable_entity expect(body).to match(/no need to invite/) end end context 'when "hide_email_address_taken" setting is enabled' do let(:hide_email_address_taken) { true } it "doesn’t inform the user" do create_invite expect(response).to have_http_status :unprocessable_entity expect(body).to match(/There was a problem with your request./) end end end end context "with domain invite" do it "works" do sign_in(admin) post "/invites.json", params: { domain: "example.com" } expect(response).to have_http_status :ok end it "fails when domain is invalid" do sign_in(admin) post "/invites.json", params: { domain: "example" } expect(response).to have_http_status :unprocessable_entity error_message = response.parsed_body["errors"].first expect(error_message).to eq(I18n.t("invite.domain_not_allowed_admin")) end it "fails when domain is too long" do sign_in(admin) post "/invites.json", params: { domain: "a" * 500 + ".ca" } expect(response).to have_http_status :unprocessable_entity error_message = response.parsed_body["errors"].first expect(error_message).to eq("Domain is too long (maximum is 500 characters)") end it "fails when custom message is too long" do sign_in(admin) post "/invites.json", params: { custom_message: "b" * 1001, domain: "example.com" } expect(response).to have_http_status :unprocessable_entity error_message = response.parsed_body["errors"].first expect(error_message).to eq("Custom message is too long (maximum is 1000 characters)") end end context "with link invite" do it "works" do sign_in(admin) post "/invites.json" expect(response.status).to eq(200) expect(Invite.last.email).to eq(nil) expect(Invite.last.invited_by).to eq(admin) expect(Invite.last.max_redemptions_allowed).to eq(1) end it "fails if over invite_link_max_redemptions_limit" do sign_in(admin) post "/invites.json", params: { max_redemptions_allowed: SiteSetting.invite_link_max_redemptions_limit - 1, } expect(response.status).to eq(200) post "/invites.json", params: { max_redemptions_allowed: SiteSetting.invite_link_max_redemptions_limit + 1, } expect(response.status).to eq(422) end it "fails if over invite_link_max_redemptions_limit_users" do sign_in(user) post "/invites.json", params: { max_redemptions_allowed: SiteSetting.invite_link_max_redemptions_limit_users - 1, } expect(response.status).to eq(200) post "/invites.json", params: { max_redemptions_allowed: SiteSetting.invite_link_max_redemptions_limit_users + 1, } expect(response.status).to eq(422) end end end describe "#create-multiple" do it "fails if you are not admin" do sign_in(Fabricate(:user)) post "/invites/create-multiple.json", params: { email: %w[test@example.com test1@example.com bademail], } expect(response.status).to eq(403) end it "creates multiple invites for multiple emails" do sign_in(admin) post "/invites/create-multiple.json", params: { email: %w[test@example.com test1@example.com bademail], } expect(response.status).to eq(200) json = JSON(response.body) expect(json["failed_invitations"].length).to eq(1) expect(json["successful_invitations"].length).to eq(2) end it "creates many invite codes with one request" do #change to sign_in(admin) num_emails = 5 # increase manually for load testing post "/invites/create-multiple.json", params: { email: 1.upto(num_emails).map { |i| "test#{i}@example.com" }, #email: %w[test+1@example.com test1@example.com] } expect(response.status).to eq(200) json = JSON(response.body) expect(json["failed_invitations"].length).to eq(0) expect(json["successful_invitations"].length).to eq(num_emails) end context "with invite to topic" do fab!(:topic) it "works" do sign_in(admin) post "/invites/create-multiple.json", params: { email: ["test@example.com"], topic_id: topic.id, invite_to_topic: true, } expect(response.status).to eq(200) expect(Jobs::InviteEmail.jobs.first["args"].first["invite_to_topic"]).to be_truthy end it "fails when topic_id is invalid" do sign_in(admin) post "/invites/create-multiple.json", params: { email: ["test@example.com"], topic_id: -9999, } expect(response.status).to eq(400) end end context "with invite to group" do fab!(:group) it "works for admins" do sign_in(admin) post "/invites/create-multiple.json", params: { email: ["test@example.com"], group_ids: [group.id], } expect(response.status).to eq(200) expect(Invite.find_by(email: "test@example.com").invited_groups.count).to eq(1) end it "works with multiple groups" do sign_in(admin) group2 = Fabricate(:group) post "/invites/create-multiple.json", params: { email: ["test@example.com"], group_names: "#{group.name},#{group2.name}", } expect(response.status).to eq(200) expect(Invite.find_by(email: "test@example.com").invited_groups.count).to eq(2) end end context "with email invite" do subject(:create_multiple_invites) { post "/invites/create-multiple.json", params: params } let(:params) { { email: [email] } } let(:email) { "test@example.com" } before { sign_in(admin) } context "when doing successive calls" do let(:invite) { Invite.last } it "creates invite once and updates it after" do create_multiple_invites expect(response).to have_http_status :ok expect(Jobs::InviteEmail.jobs.size).to eq(1) create_multiple_invites expect(response).to have_http_status :ok expect(response.parsed_body["successful_invitations"][0]["invite"]["id"]).to eq(invite.id) end end context 'when "skip_email" parameter is provided' do before { params[:skip_email] = true } it "accepts the parameter" do create_multiple_invites expect(response).to have_http_status :ok expect(Jobs::InviteEmail.jobs.size).to eq(0) end end end it "fails if asked to generate too many invites at once" do SiteSetting.max_api_invites = 3 sign_in(admin) post "/invites/create-multiple.json", params: { email: %w[ mail1@mailinator.com mail2@mailinator.com mail3@mailinator.com mail4@mailinator.com ], } expect(response.status).to eq(422) expect(response.parsed_body["errors"][0]).to eq( I18n.t("invite.max_invite_emails_limit_exceeded", max: SiteSetting.max_api_invites), ) end end describe "#retrieve" do it "requires to be logged in" do get "/invites/retrieve.json", params: { email: "test@example.com" } expect(response.status).to eq(403) end context "while logged in" do before { sign_in(user) } fab!(:invite) { Fabricate(:invite, invited_by: user, email: "test@example.com") } it "raises an error when the email is missing" do get "/invites/retrieve.json" expect(response.status).to eq(400) end it "raises an error when the email cannot be found" do get "/invites/retrieve.json", params: { email: "test2@example.com" } expect(response.status).to eq(400) end it "can retrieve the invite" do get "/invites/retrieve.json", params: { email: "test@example.com" } expect(response.status).to eq(200) end end end describe "#update" do fab!(:invite) { Fabricate(:invite, invited_by: admin, email: "test@example.com") } it "requires to be logged in" do put "/invites/#{invite.id}", params: { email: "test2@example.com" } expect(response.status).to eq(400) end context "while logged in" do before { sign_in(admin) } it "resends invite email if updating email address" do put "/invites/#{invite.id}", params: { email: "test2@example.com" } expect(response.status).to eq(200) expect(Jobs::InviteEmail.jobs.size).to eq(1) end it "does not resend invite email if skip_email if updating email address" do put "/invites/#{invite.id}", params: { email: "test2@example.com", skip_email: true } expect(response.status).to eq(200) expect(Jobs::InviteEmail.jobs.size).to eq(0) end it "does not resend invite email when updating other fields" do put "/invites/#{invite.id}", params: { custom_message: "new message" } expect(response.status).to eq(200) expect(invite.reload.custom_message).to eq("new message") expect(Jobs::InviteEmail.jobs.size).to eq(0) end it "cannot create duplicated invites" do Fabricate(:invite, invited_by: admin, email: "test2@example.com") put "/invites/#{invite.id}.json", params: { email: "test2@example.com" } expect(response.status).to eq(409) end describe "rate limiting" do before { RateLimiter.enable } it "can send invite email" do sign_in(user) invite = Fabricate(:invite, invited_by: user, email: "test@example.com") expect { put "/invites/#{invite.id}", params: { send_email: true } }.to change { RateLimiter.new(user, "resend-invite-per-hour", 10, 1.hour).remaining }.by(-1) expect(response.status).to eq(200) expect(Jobs::InviteEmail.jobs.size).to eq(1) end end context "when providing an email belonging to an existing user" do subject(:update_invite) { put "/invites/#{invite.id}.json", params: { email: admin.email } } before { SiteSetting.hide_email_address_taken = hide_email_address_taken } context "when 'hide_email_address_taken' setting is disabled" do let(:hide_email_address_taken) { false } it "returns an error" do update_invite expect(response).to have_http_status :unprocessable_entity expect(body).to match(/no need to invite/) end end context "when 'hide_email_address_taken' setting is enabled" do let(:hide_email_address_taken) { true } it "doesn't inform the user" do update_invite expect(response).to have_http_status :unprocessable_entity expect(body).to match(/There was a problem with your request./) end end end end end describe "#destroy" do it "requires to be logged in" do delete "/invites.json", params: { email: "test@example.com" } expect(response.status).to eq(403) end context "while logged in" do fab!(:invite) { Fabricate(:invite, invited_by: user) } before { sign_in(user) } it "raises an error when id is missing" do delete "/invites.json" expect(response.status).to eq(400) end it "raises an error when invite does not exist" do delete "/invites.json", params: { id: 848 } expect(response.status).to eq(400) end it "raises an error when invite is not created by user" do another_invite = Fabricate(:invite, email: "test2@example.com") delete "/invites.json", params: { id: another_invite.id } expect(response.status).to eq(400) end it "destroys the invite" do delete "/invites.json", params: { id: invite.id } expect(response.status).to eq(200) expect(invite.reload.trashed?).to be_truthy end end end describe "#perform_accept_invitation" do context "with an invalid invite" do it "redirects to the root" do put "/invites/show/doesntexist.json" expect(response.status).to eq(404) expect(response.parsed_body["message"]).to eq(I18n.t("invite.not_found_json")) expect(session[:current_user_id]).to be_blank end end context "with a deleted invite" do fab!(:invite) before { invite.trash! } it "redirects to the root" do put "/invites/show/#{invite.invite_key}.json" expect(response.status).to eq(404) expect(response.parsed_body["message"]).to eq(I18n.t("invite.not_found_json")) expect(session[:current_user_id]).to be_blank end end context "with an expired invite" do fab!(:invite) { Fabricate(:invite, expires_at: 1.day.ago) } it "response is not successful" do put "/invites/show/#{invite.invite_key}.json" expect(response.status).to eq(404) expect(response.parsed_body["message"]).to eq(I18n.t("invite.not_found_json")) expect(session[:current_user_id]).to be_blank end end context "with an email invite" do let(:topic) { Fabricate(:topic) } let(:invite) { Invite.generate(topic.user, email: "iceking@adventuretime.ooo", topic: topic) } it "redeems the invite" do put "/invites/show/#{invite.invite_key}.json" expect(invite.reload.redeemed?).to be_truthy end it "logs in the user" do events = DiscourseEvent.track_events do put "/invites/show/#{invite.invite_key}.json", params: { email_token: invite.email_token, } end expect(events.map { |event| event[:event_name] }).to include( :user_logged_in, :user_first_logged_in, ) expect(response.status).to eq(200) expect(session[:current_user_id]).to eq(invite.invited_users.first.user_id) expect(invite.reload.redeemed?).to be_truthy user = User.find(invite.invited_users.first.user_id) expect(user.ip_address).to be_present expect(user.registration_ip_address).to be_present end it "redirects to the first topic the user was invited to" do put "/invites/show/#{invite.invite_key}.json", params: { email_token: invite.email_token } expect(response.status).to eq(200) expect(response.parsed_body["redirect_to"]).to eq(topic.relative_url) expect( Notification.where( notification_type: Notification.types[:invited_to_topic], topic: topic, ).count, ).to eq(1) end it "sets the timezone of the user in user_options" do put "/invites/show/#{invite.invite_key}.json", params: { timezone: "Australia/Melbourne" } expect(response.status).to eq(200) invite.reload user = User.find(invite.invited_users.first.user_id) expect(user.user_option.timezone).to eq("Australia/Melbourne") end it "does not log in the user if there are validation errors" do put "/invites/show/#{invite.invite_key}.json", params: { password: "password" } expect(response.status).to eq(412) expect(session[:current_user_id]).to eq(nil) end it "does not log in the user if they were not approved" do SiteSetting.must_approve_users = true put "/invites/show/#{invite.invite_key}.json", params: { password: SecureRandom.hex, email_token: invite.email_token, } expect(session[:current_user_id]).to eq(nil) expect(response.parsed_body["message"]).to eq(I18n.t("activation.approval_required")) end it "does not log in the user if they were not activated" do put "/invites/show/#{invite.invite_key}.json", params: { password: SecureRandom.hex } expect(session[:current_user_id]).to eq(nil) expect(response.parsed_body["message"]).to eq(I18n.t("invite.confirm_email")) end it "fails when local login is disabled and no external auth is configured" do SiteSetting.enable_local_logins = false put "/invites/show/#{invite.invite_key}.json" expect(response.status).to eq(404) end context "with OmniAuth provider" do fab!(:authenticated_email) { "test@example.com" } before do OmniAuth.config.test_mode = true OmniAuth.config.mock_auth[:google_oauth2] = OmniAuth::AuthHash.new( provider: "google_oauth2", uid: "12345", info: OmniAuth::AuthHash::InfoHash.new(email: authenticated_email, name: "First Last"), extra: { raw_info: OmniAuth::AuthHash.new( email_verified: true, email: authenticated_email, family_name: "Last", given_name: "First", gender: "male", name: "First Last", ), }, ) Rails.application.env_config["omniauth.auth"] = OmniAuth.config.mock_auth[:google_oauth2] SiteSetting.enable_google_oauth2_logins = true get "/auth/google_oauth2/callback.json" expect(response.status).to eq(302) end after do Rails.application.env_config["omniauth.auth"] = OmniAuth.config.mock_auth[ :google_oauth2 ] = nil OmniAuth.config.test_mode = false end it "should associate the invited user with authenticator records" do SiteSetting.auth_overrides_name = true invite.update!(email: authenticated_email) expect { put "/invites/show/#{invite.invite_key}.json", params: { name: "somename" } }.to change { User.with_email(authenticated_email).exists? }.to(true) expect(response.status).to eq(200) user = User.find_by_email(authenticated_email) expect(user.name).to eq("First Last") expect(user.user_associated_accounts.first.provider_name).to eq("google_oauth2") end it "returns the right response even if local logins has been disabled" do SiteSetting.enable_local_logins = false invite.update!(email: authenticated_email) put "/invites/show/#{invite.invite_key}.json" expect(response.status).to eq(200) end it "returns the right response if authenticated email does not match invite email" do put "/invites/show/#{invite.invite_key}.json" expect(response.status).to eq(412) end end describe ".post_process_invite" do it "sends a welcome message if set" do SiteSetting.send_welcome_message = true user.send_welcome_message = true put "/invites/show/#{invite.invite_key}.json" expect(response.status).to eq(200) expect(Jobs::SendSystemMessage.jobs.size).to eq(1) end it "refreshes automatic groups if staff" do topic.user.grant_admin! invite.update!(moderator: true) put "/invites/show/#{invite.invite_key}.json" expect(response.status).to eq(200) expect(invite.invited_users.first.user.groups.pluck(:name)).to contain_exactly( "moderators", "staff", ) end context "without password" do it "sends password reset email" do put "/invites/show/#{invite.invite_key}.json" expect(response.status).to eq(200) expect(Jobs::InvitePasswordInstructionsEmail.jobs.size).to eq(1) expect(Jobs::CriticalUserEmail.jobs.size).to eq(0) end end context "with password" do context "when user was invited via email" do before { invite.update_column(:emailed_status, Invite.emailed_status_types[:pending]) } it "does not send an activation email and activates the user" do expect do put "/invites/show/#{invite.invite_key}.json", params: { password: "verystrongpassword", email_token: invite.email_token, } end.to change { UserAuthToken.count }.by(1) expect(response.status).to eq(200) expect(Jobs::InvitePasswordInstructionsEmail.jobs.size).to eq(0) expect(Jobs::CriticalUserEmail.jobs.size).to eq(0) invited_user = User.find_by_email(invite.email) expect(invited_user.active).to eq(true) expect(invited_user.email_confirmed?).to eq(true) end it "does not activate user if email token is missing" do expect do put "/invites/show/#{invite.invite_key}.json", params: { password: "verystrongpassword", } end.not_to change { UserAuthToken.count } expect(response.status).to eq(200) expect(Jobs::InvitePasswordInstructionsEmail.jobs.size).to eq(0) expect(Jobs::CriticalUserEmail.jobs.size).to eq(1) invited_user = User.find_by_email(invite.email) expect(invited_user.active).to eq(false) expect(invited_user.email_confirmed?).to eq(false) end end context "when user was invited via link" do before do invite.update_column(:emailed_status, Invite.emailed_status_types[:not_required]) end it "sends an activation email and does not activate the user" do expect do put "/invites/show/#{invite.invite_key}.json", params: { password: "verystrongpassword", } end.not_to change { UserAuthToken.count } expect(response.status).to eq(200) expect(response.parsed_body["message"]).to eq(I18n.t("invite.confirm_email")) invited_user = User.find_by_email(invite.email) expect(invited_user.active).to eq(false) expect(invited_user.email_confirmed?).to eq(false) expect(Jobs::InvitePasswordInstructionsEmail.jobs.size).to eq(0) expect(Jobs::CriticalUserEmail.jobs.size).to eq(1) tokens = EmailToken.where(user_id: invited_user.id, confirmed: false, expired: false) expect(tokens.size).to eq(1) job_args = Jobs::CriticalUserEmail.jobs.first["args"].first expect(job_args["type"]).to eq("signup") expect(job_args["user_id"]).to eq(invited_user.id) expect(EmailToken.hash_token(job_args["email_token"])).to eq(tokens.first.token_hash) end end end end end context "with a domain invite" do fab!(:invite) do Fabricate( :invite, email: nil, emailed_status: Invite.emailed_status_types[:not_required], domain: "example.com", ) end it "creates an user if email matches domain" do expect { put "/invites/show/#{invite.invite_key}.json", params: { email: "test@example.com", password: "verystrongpassword", } }.to change { User.count } expect(response.status).to eq(200) expect(response.parsed_body["message"]).to eq(I18n.t("invite.confirm_email")) expect(invite.reload.redemption_count).to eq(1) invited_user = User.find_by_email("test@example.com") expect(invited_user).to be_present end it "does not create an user if email does not match domain" do expect { put "/invites/show/#{invite.invite_key}.json", params: { email: "test@example2.com", password: "verystrongpassword", } }.not_to change { User.count } expect(response.status).to eq(412) expect(response.parsed_body["message"]).to eq(I18n.t("invite.domain_not_allowed")) expect(invite.reload.redemption_count).to eq(0) end end context "with an invite link" do fab!(:invite) do Fabricate(:invite, email: nil, emailed_status: Invite.emailed_status_types[:not_required]) end it "does not create multiple users for a single use invite" do user_count = User.count 2 .times .map do Thread.new do put "/invites/show/#{invite.invite_key}.json", params: { email: "test@example.com", password: "verystrongpassword", } end end .each(&:join) expect(invite.reload.max_redemptions_allowed).to eq(1) expect(invite.reload.redemption_count).to eq(1) expect(User.count).to eq(user_count + 1) end it "sends an activation email and does not activate the user" do expect { put "/invites/show/#{invite.invite_key}.json", params: { email: "test@example.com", password: "verystrongpassword", } }.not_to change { UserAuthToken.count } expect(response.status).to eq(200) expect(response.parsed_body["message"]).to eq(I18n.t("invite.confirm_email")) expect(invite.reload.redemption_count).to eq(1) invited_user = User.find_by_email("test@example.com") expect(invited_user.active).to eq(false) expect(invited_user.email_confirmed?).to eq(false) expect(Jobs::InvitePasswordInstructionsEmail.jobs.size).to eq(0) expect(Jobs::CriticalUserEmail.jobs.size).to eq(1) tokens = EmailToken.where(user_id: invited_user.id, confirmed: false, expired: false) expect(tokens.size).to eq(1) job_args = Jobs::CriticalUserEmail.jobs.first["args"].first expect(job_args["type"]).to eq("signup") expect(job_args["user_id"]).to eq(invited_user.id) expect(EmailToken.hash_token(job_args["email_token"])).to eq(tokens.first.token_hash) end it "does not automatically log in the user if their email matches an existing user's and shows an error" do Fabricate(:user, email: "test@example.com") put "/invites/show/#{invite.invite_key}.json", params: { email: "test@example.com", password: "verystrongpassword", } expect(session[:current_user_id]).to be_blank expect(response.status).to eq(412) expect(response.parsed_body["message"]).to include("Primary email has already been taken") expect(invite.reload.redemption_count).to eq(0) end it "does not automatically log in the user if their email matches an existing admin's and shows an error" do Fabricate(:admin, email: "test@example.com") put "/invites/show/#{invite.invite_key}.json", params: { email: "test@example.com", password: "verystrongpassword", } expect(session[:current_user_id]).to be_blank expect(response.status).to eq(412) expect(response.parsed_body["message"]).to include("Primary email has already been taken") expect(invite.reload.redemption_count).to eq(0) end end context "when new registrations are disabled" do fab!(:topic) fab!(:invite) { Invite.generate(topic.user, email: "test@example.com", topic: topic) } before { SiteSetting.allow_new_registrations = false } it "does not redeem the invite" do put "/invites/show/#{invite.invite_key}.json" expect(response.status).to eq(200) expect(invite.reload.invited_users).to be_blank expect(invite.redeemed?).to be_falsey expect(response.body).to include(I18n.t("login.new_registrations_disabled")) end end context "when user is already logged in" do before { sign_in(user) } context "for an email invite" do fab!(:invite) { Fabricate(:invite, email: "test@example.com") } fab!(:user) { Fabricate(:user, email: "test@example.com") } fab!(:group) it "redeems the invitation and creates the invite accepted notification" do put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key } expect(response.status).to eq(200) expect(response.parsed_body["message"]).to eq(I18n.t("invite.existing_user_success")) invite.reload expect(invite.invited_users.first.user).to eq(user) expect(invite.redeemed?).to be_truthy expect( Notification.exists?( user: invite.invited_by, notification_type: Notification.types[:invitee_accepted], ), ).to eq(true) end it "redirects to the first topic the user was invited to and creates the topic notification" do topic = Fabricate(:topic) TopicInvite.create!(invite: invite, topic: topic) put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key } expect(response.status).to eq(200) expect(response.parsed_body["redirect_to"]).to eq(topic.relative_url) expect( Notification.where( notification_type: Notification.types[:invited_to_topic], topic: topic, ).count, ).to eq(1) end it "adds the user to the private topic" do topic = Fabricate(:private_message_topic) TopicInvite.create!(invite: invite, topic: topic) put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key } expect(response.status).to eq(200) expect(response.parsed_body["redirect_to"]).to eq(topic.relative_url) expect(TopicAllowedUser.exists?(user: user, topic: topic)).to eq(true) end it "adds the user to the groups specified on the invite and allows them to access the secure topic" do group.add_owner(invite.invited_by) secured_category = Fabricate(:category) secured_category.permissions = { group.name => :full } secured_category.save! topic = Fabricate(:topic, category: secured_category) TopicInvite.create!(invite: invite, topic: topic) InvitedGroup.create!(invite: invite, group: group) put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key } expect(response.status).to eq(200) expect(response.parsed_body["message"]).to eq(I18n.t("invite.existing_user_success")) expect(response.parsed_body["redirect_to"]).to eq(topic.relative_url) invite.reload expect(invite.redeemed?).to be_truthy expect(user.reload.groups).to include(group) expect( Notification.where( notification_type: Notification.types[:invited_to_topic], topic: topic, ).count, ).to eq(1) end it "does not try to log in the user automatically" do expect do put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key } end.not_to change { UserAuthToken.count } expect(response.status).to eq(200) expect(response.parsed_body["message"]).to eq(I18n.t("invite.existing_user_success")) end it "errors if the user's email doesn't match the invite email" do user.update!(email: "blah@test.com") put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key } expect(response.status).to eq(412) expect(response.parsed_body["message"]).to eq(I18n.t("invite.not_matching_email")) end it "errors if the user's email domain doesn't match the invite domain" do user.update!(email: "blah@test.com") invite.update!(email: nil, domain: "example.com") put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key } expect(response.status).to eq(412) expect(response.parsed_body["message"]).to eq(I18n.t("invite.domain_not_allowed")) end end context "for an invite link" do fab!(:invite) { Fabricate(:invite, email: nil) } fab!(:user) { Fabricate(:user, email: "test@example.com") } fab!(:group) it "redeems the invitation and creates the invite accepted notification" do put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key } expect(response.status).to eq(200) expect(response.parsed_body["message"]).to eq(I18n.t("invite.existing_user_success")) invite.reload expect(invite.invited_users.first.user).to eq(user) expect(invite.redeemed?).to be_truthy expect( Notification.exists?( user: invite.invited_by, notification_type: Notification.types[:invitee_accepted], ), ).to eq(true) end it "redirects to the first topic the user was invited to and creates the topic notification" do topic = Fabricate(:topic) TopicInvite.create!(invite: invite, topic: topic) put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key } expect(response.status).to eq(200) expect(response.parsed_body["redirect_to"]).to eq(topic.relative_url) expect( Notification.where( notification_type: Notification.types[:invited_to_topic], topic: topic, ).count, ).to eq(1) end it "adds the user to the groups specified on the invite and allows them to access the secure topic" do group.add_owner(invite.invited_by) secured_category = Fabricate(:category) secured_category.permissions = { group.name => :full } secured_category.save! topic = Fabricate(:topic, category: secured_category) TopicInvite.create!(invite: invite, topic: topic) InvitedGroup.create!(invite: invite, group: group) put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key } expect(response.status).to eq(200) expect(response.parsed_body["message"]).to eq(I18n.t("invite.existing_user_success")) expect(response.parsed_body["redirect_to"]).to eq(topic.relative_url) invite.reload expect(invite.redeemed?).to be_truthy expect(user.reload.groups).to include(group) expect( Notification.where( notification_type: Notification.types[:invited_to_topic], topic: topic, ).count, ).to eq(1) end it "does not try to log in the user automatically" do expect do put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key } end.not_to change { UserAuthToken.count } expect(response.status).to eq(200) expect(response.parsed_body["message"]).to eq(I18n.t("invite.existing_user_success")) end end end context "with topic invites" do fab!(:invite) { Fabricate(:invite, email: "test@example.com") } fab!(:secured_category) do secured_category = Fabricate(:category) secured_category.permissions = { staff: :full } secured_category.save! secured_category end it "redirects user to topic if activated" do topic = Fabricate(:topic) TopicInvite.create!(invite: invite, topic: topic) put "/invites/show/#{invite.invite_key}.json", params: { email_token: invite.email_token } expect(response.parsed_body["redirect_to"]).to eq(topic.relative_url) expect( Notification.where( notification_type: Notification.types[:invited_to_topic], topic: topic, ).count, ).to eq(1) end it "sets destination_url cookie if user is not activated" do topic = Fabricate(:topic) TopicInvite.create!(invite: invite, topic: topic) put "/invites/show/#{invite.invite_key}.json" expect(cookies["destination_url"]).to eq(topic.relative_url) expect( Notification.where( notification_type: Notification.types[:invited_to_topic], topic: topic, ).count, ).to eq(1) end it "does not redirect user if they cannot see topic" do topic = Fabricate(:topic, category: secured_category) TopicInvite.create!(invite: invite, topic: topic) put "/invites/show/#{invite.invite_key}.json", params: { email_token: invite.email_token } expect(response.parsed_body["redirect_to"]).to eq("/") expect( Notification.where( notification_type: Notification.types[:invited_to_topic], topic: topic, ).count, ).to eq(0) end end context "with staged user" do fab!(:invite) fab!(:staged_user) { Fabricate(:user, staged: true, email: invite.email) } it "can keep the old username" do old_username = staged_user.username put "/invites/show/#{invite.invite_key}.json", params: { username: staged_user.username, password: "Password123456", email_token: invite.email_token, } expect(response.status).to eq(200) expect(invite.reload.redeemed?).to be_truthy user = invite.invited_users.first.user expect(user.username).to eq(old_username) end it "can change the username" do put "/invites/show/#{invite.invite_key}.json", params: { username: "new_username", password: "Password123456", email_token: invite.email_token, } expect(response.status).to eq(200) expect(invite.reload.redeemed?).to be_truthy user = invite.invited_users.first.user expect(user.username).to eq("new_username") end end end describe "#destroy_all_expired" do it "removes all expired invites sent by a user" do SiteSetting.invite_expiry_days = 1 user = Fabricate(:admin) invite_1 = Fabricate(:invite, invited_by: user) invite_2 = Fabricate(:invite, invited_by: user) expired_invite = Fabricate(:invite, invited_by: user) expired_invite.update!(expires_at: 2.days.ago) sign_in(user) post "/invites/destroy-all-expired" expect(response.status).to eq(200) expect(invite_1.reload.deleted_at).to eq(nil) expect(invite_2.reload.deleted_at).to eq(nil) expect(expired_invite.reload.deleted_at).to be_present end end describe "#resend_invite" do it "requires to be logged in" do post "/invites/reinvite.json", params: { email: "first_name@example.com" } expect(response.status).to eq(403) end context "while logged in" do fab!(:user) { sign_in(Fabricate(:user)) } fab!(:invite) { Fabricate(:invite, invited_by: user) } fab!(:another_invite) { Fabricate(:invite, email: "last_name@example.com") } it "raises an error when the email is missing" do post "/invites/reinvite.json" expect(response.status).to eq(400) end it "raises an error when the email cannot be found" do post "/invites/reinvite.json", params: { email: "first_name@example.com" } expect(response.status).to eq(400) end it "raises an error when the invite is not yours" do post "/invites/reinvite.json", params: { email: another_invite.email } expect(response.status).to eq(400) end it "resends the invite" do post "/invites/reinvite.json", params: { email: invite.email } expect(response.status).to eq(200) expect(Jobs::InviteEmail.jobs.size).to eq(1) end end end describe "#resend_all_invites" do let(:admin) { Fabricate(:admin) } before do SiteSetting.invite_expiry_days = 30 RateLimiter.enable end it "resends all non-redeemed invites by a user" do freeze_time new_invite = Fabricate(:invite, invited_by: admin) expired_invite = Fabricate(:invite, invited_by: admin) expired_invite.update!(expires_at: 2.days.ago) redeemed_invite = Fabricate(:invite, invited_by: admin) Fabricate(:invited_user, invite: redeemed_invite, user: Fabricate(:user)) redeemed_invite.update!(expires_at: 5.days.ago) sign_in(admin) post "/invites/reinvite-all" expect(response.status).to eq(200) expect(new_invite.reload.expires_at).to eq_time(30.days.from_now) expect(expired_invite.reload.expires_at).to eq_time(2.days.ago) expect(redeemed_invite.reload.expires_at).to eq_time(5.days.ago) end it "errors if admins try to exceed limit of one bulk invite per day" do sign_in(admin) start = Time.now freeze_time(start) post "/invites/reinvite-all" expect(response.parsed_body["errors"]).to_not be_present freeze_time(start + 10.minutes) post "/invites/reinvite-all" expect(response.parsed_body["errors"][0]).to eq(I18n.t("rate_limiter.slow_down")) end end describe "#upload_csv" do it "requires to be logged in" do post "/invites/upload_csv.json" expect(response.status).to eq(403) end context "while logged in" do let(:csv_file) { File.new("#{Rails.root}/spec/fixtures/csv/discourse.csv") } let(:file) { Rack::Test::UploadedFile.new(File.open(csv_file)) } let(:csv_file_with_headers) do File.new("#{Rails.root}/spec/fixtures/csv/discourse_headers.csv") end let(:file_with_headers) { Rack::Test::UploadedFile.new(File.open(csv_file_with_headers)) } let(:csv_file_with_locales) do File.new("#{Rails.root}/spec/fixtures/csv/invites_with_locales.csv") end let(:file_with_locales) { Rack::Test::UploadedFile.new(File.open(csv_file_with_locales)) } it "fails if you cannot bulk invite to the forum" do sign_in(Fabricate(:user)) post "/invites/upload_csv.json", params: { file: file, name: "discourse.csv" } expect(response.status).to eq(403) end it "allows admin to bulk invite" do sign_in(admin) post "/invites/upload_csv.json", params: { file: file, name: "discourse.csv" } expect(response.status).to eq(200) expect(Jobs::BulkInvite.jobs.size).to eq(1) end it "allows admin to bulk invite when DiscourseConnect enabled" do SiteSetting.discourse_connect_url = "https://example.com" SiteSetting.enable_discourse_connect = true sign_in(admin) post "/invites/upload_csv.json", params: { file: file, name: "discourse.csv" } expect(response.status).to eq(200) expect(Jobs::BulkInvite.jobs.size).to eq(1) end it "sends limited invites at a time" do SiteSetting.max_bulk_invites = 3 sign_in(admin) post "/invites/upload_csv.json", params: { file: file, name: "discourse.csv" } expect(response.status).to eq(422) expect(Jobs::BulkInvite.jobs.size).to eq(1) expect(response.parsed_body["errors"][0]).to eq( I18n.t("bulk_invite.max_rows", max_bulk_invites: SiteSetting.max_bulk_invites), ) end it "can import user fields" do Jobs.run_immediately! user_field = Fabricate(:user_field, name: "location") Fabricate(:group, name: "discourse") Fabricate(:group, name: "ubuntu") sign_in(admin) post "/invites/upload_csv.json", params: { file: file_with_headers, name: "discourse_headers.csv", } expect(response.status).to eq(200) user = User.where(staged: true).find_by_email("test@example.com") expect(user.user_fields[user_field.id.to_s]).to eq("usa") user2 = User.where(staged: true).find_by_email("test2@example.com") expect(user2.user_fields[user_field.id.to_s]).to eq("europe") end it "can pre-set user locales" do Jobs.run_immediately! sign_in(admin) post "/invites/upload_csv.json", params: { file: file_with_locales, name: "discourse_headers.csv", } expect(response.status).to eq(200) user = User.where(staged: true).find_by_email("test@example.com") expect(user.locale).to eq("de") user2 = User.where(staged: true).find_by_email("test2@example.com") expect(user2.locale).to eq("pl") end end end end