From 32ac09ee480e6dc3197d0134c8d9796e1c90e66e Mon Sep 17 00:00:00 2001 From: evazion Date: Thu, 21 Dec 2017 21:59:57 -0600 Subject: [PATCH 1/3] Add test for registering sock puppet accounts. --- test/functional/users_controller_test.rb | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/test/functional/users_controller_test.rb b/test/functional/users_controller_test.rb index 70d1945dd..7bb0412cb 100644 --- a/test/functional/users_controller_test.rb +++ b/test/functional/users_controller_test.rb @@ -93,6 +93,22 @@ class UsersControllerTest < ActionController::TestCase assert_equal([], assigns(:user).errors.full_messages) end end + + should "not allow registering multiple accounts with the same IP" do + User.any_instance.unstub(:validate_sock_puppets) + request.env["REMOTE_ADDR"] = "1.2.3.4" + CurrentUser.user = nil + + post :create, {:user => {:name => "user", :password => "xxxxx1", :password_confirmation => "xxxxx1"}}, {} + session.clear + post :create, {:user => {:name => "dupe", :password => "xxxxx1", :password_confirmation => "xxxxx1"}}, {} + + assert_equal(true, User.where(name: "user").exists?) + assert_equal(false, User.where(name: "dupe").exists?) + + assert_equal(IPAddr.new("1.2.3.4"), User.find_by_name("user").last_ip_addr) + assert_match(/Sign up failed: Last ip addr was used recently/, flash[:notice]) + end end context "edit action" do From 1fc22848740ae60ca8f5a7f4add86b7e5693be2e Mon Sep 17 00:00:00 2001 From: evazion Date: Thu, 21 Dec 2017 21:57:37 -0600 Subject: [PATCH 2/3] /users/new: show error message when account signup fails. --- app/controllers/users_controller.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 6b8cd55af..e1a048245 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -47,6 +47,8 @@ class UsersController < ApplicationController @user.save if @user.errors.empty? session[:user_id] = @user.id + else + flash[:notice] = "Sign up failed: #{@user.errors.full_messages.join("; ")}" end set_current_user respond_with(@user) From ad74d9e75a75e17318d307bc49977ec9422ed79a Mon Sep 17 00:00:00 2001 From: evazion Date: Thu, 21 Dec 2017 21:57:03 -0600 Subject: [PATCH 3/3] Fix #3464: CurrentUser.ip_addr isn't set for anonymous users. --- app/logical/session_loader.rb | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/app/logical/session_loader.rb b/app/logical/session_loader.rb index ddf2bcd97..583055577 100644 --- a/app/logical/session_loader.rb +++ b/app/logical/session_loader.rb @@ -12,6 +12,7 @@ class SessionLoader def load CurrentUser.user = AnonymousUser.new + CurrentUser.ip_addr = request.remote_ip if session[:user_id] load_session_user @@ -55,7 +56,6 @@ private end def authenticate_api_key(name, api_key) - CurrentUser.ip_addr = request.remote_ip CurrentUser.user = User.authenticate_api_key(name, api_key) if CurrentUser.user.nil? @@ -64,7 +64,6 @@ private end def authenticate_legacy_api_key(name, password_hash) - CurrentUser.ip_addr = request.remote_ip CurrentUser.user = User.authenticate_hash(name, password_hash) if CurrentUser.user.nil? @@ -73,13 +72,11 @@ private end def load_session_user - CurrentUser.ip_addr = request.remote_ip CurrentUser.user = User.find_by_id(session[:user_id]) end def load_cookie_user CurrentUser.user = User.find_by_name(cookies.signed[:user_name]) - CurrentUser.ip_addr = request.remote_ip session[:user_id] = CurrentUser.user.id end