users: disallow banned users from changing email or deleting account.

This is to prevent people from wiping their email address after they've been banned and reusing it to verify a new account.
2021-05-15 03:02:56 -05:00
parent 4cf62c520c
commit 2537145b02
4 changed files with 24 additions and 1 deletions
--- a/app/logical/user_deletion.rb
+++ b/app/logical/user_deletion.rb
@@ -74,5 +74,9 @@ class UserDeletion
    if user.is_admin?
      errors.add(:base, "Admins cannot delete their account")
    end
+
+    if user.is_banned?
+      errors.add(:base, "You cannot delete your account if you are banned")
+    end
  end
 end
--- a/app/policies/email_address_policy.rb
+++ b/app/policies/email_address_policy.rb
@@ -9,7 +9,7 @@ class EmailAddressPolicy < ApplicationPolicy

  def update?
    # XXX here record is a user, not the email address.
-    record.id == user.id
+    record.id == user.id && !user.is_banned?
  end

  def verify?
--- a/test/functional/emails_controller_test.rb
+++ b/test/functional/emails_controller_test.rb
@@ -105,6 +105,16 @@ class EmailsControllerTest < ActionDispatch::IntegrationTest
          assert_enqueued_email_with UserMailer, :email_change_confirmation, args: [@user], queue: "default"
          assert_equal(true, @user.user_events.email_change.exists?)
        end
+
+        should "not allow banned users to change their email address" do
+          create(:ban, user: @user, duration: 1.week)
+          put_auth user_email_path(@user), @user, params: { user: { password: "password", email: "abc@ogres.net" }}
+
+          assert_response 403
+          assert_equal("bob@ogres.net", @user.reload.email_address.address)
+          assert_no_emails
+          assert_equal(false, @user.user_events.email_change.exists?)
+        end
      end

      context "with the incorrect password" do
--- a/test/unit/user_deletion_test.rb
+++ b/test/unit/user_deletion_test.rb
@@ -26,6 +26,15 @@ class UserDeletionTest < ActiveSupport::TestCase
        assert_includes(@deletion.errors[:base], "Admins cannot delete their account")
      end
    end
+
+    context "for a banned user" do
+      should "fail" do
+        @user = create(:banned_user)
+        @deletion = UserDeletion.new(@user, "password", @request)
+        @deletion.delete!
+        assert_includes(@deletion.errors[:base], "You cannot delete your account if you are banned")
+      end
+    end
  end

  context "a valid user deletion" do