Merge pull request #3465 from evazion/fix-3464

Fix #3464: CurrentUser.ip_addr isn't set for anonymous users.
2017-12-27 12:01:28 -08:00
parent 7651497b23 ad74d9e75a
commit 12ce69171a
3 changed files with 19 additions and 4 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -47,6 +47,8 @@ class UsersController < ApplicationController
      @user.save
      if @user.errors.empty?
        session[:user_id] = @user.id
+      else
+        flash[:notice] = "Sign up failed: #{@user.errors.full_messages.join("; ")}"
      end
      set_current_user
      respond_with(@user)
--- a/app/logical/session_loader.rb
+++ b/app/logical/session_loader.rb
@@ -12,6 +12,7 @@ class SessionLoader

  def load
    CurrentUser.user = AnonymousUser.new
+    CurrentUser.ip_addr = request.remote_ip

    if session[:user_id]
      load_session_user
@@ -55,7 +56,6 @@ private
  end
  
  def authenticate_api_key(name, api_key)
-    CurrentUser.ip_addr = request.remote_ip
    CurrentUser.user = User.authenticate_api_key(name, api_key)

    if CurrentUser.user.nil?
@@ -64,7 +64,6 @@ private
  end
  
  def authenticate_legacy_api_key(name, password_hash)
-    CurrentUser.ip_addr = request.remote_ip
    CurrentUser.user = User.authenticate_hash(name, password_hash)

    if CurrentUser.user.nil?
@@ -73,13 +72,11 @@ private
  end

  def load_session_user
-    CurrentUser.ip_addr = request.remote_ip
    CurrentUser.user = User.find_by_id(session[:user_id])
  end

  def load_cookie_user
    CurrentUser.user = User.find_by_name(cookies.signed[:user_name])
-    CurrentUser.ip_addr = request.remote_ip
    session[:user_id] = CurrentUser.user.id
  end

--- a/test/functional/users_controller_test.rb
+++ b/test/functional/users_controller_test.rb
@@ -93,6 +93,22 @@ class UsersControllerTest < ActionController::TestCase
          assert_equal([], assigns(:user).errors.full_messages)
        end
      end
+
+      should "not allow registering multiple accounts with the same IP" do
+        User.any_instance.unstub(:validate_sock_puppets)
+        request.env["REMOTE_ADDR"] = "1.2.3.4"
+        CurrentUser.user = nil
+
+        post :create, {:user => {:name => "user", :password => "xxxxx1", :password_confirmation => "xxxxx1"}}, {}
+        session.clear
+        post :create, {:user => {:name => "dupe", :password => "xxxxx1", :password_confirmation => "xxxxx1"}}, {}
+
+        assert_equal(true, User.where(name: "user").exists?)
+        assert_equal(false, User.where(name: "dupe").exists?)
+
+        assert_equal(IPAddr.new("1.2.3.4"), User.find_by_name("user").last_ip_addr)
+        assert_match(/Sign up failed: Last ip addr was used recently/, flash[:notice])
+      end
    end

    context "edit action" do