jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

pundit: convert emails to pundit.

Browse Source
This commit is contained in:
evazion
2020-03-19 16:40:02 -05:00
parent a440c56ed8
commit 50fa674a3e
7 changed files with 76 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
app/controllers/emails_controller.rb
View File

@@ -1,24 +1,18 @@
class EmailsController < ApplicationController class EmailsController < ApplicationController
before_action :member_only
respond_to :html, :xml, :json respond_to :html, :xml, :json
def show def show
@user = User.find(params[:user_id]) @email_address = authorize EmailAddress.find_by_user_id!(params[:user_id])
check_privilege(@user) respond_with(@email_address)
respond_with(@user.email_address)
end end
def edit def edit
@user = User.find(params[:user_id]) @user = authorize User.find(params[:user_id]), policy_class: EmailAddressPolicy
check_privilege(@user)
respond_with(@user) respond_with(@user)
end end
def update def update
@user = User.find(params[:user_id]) @user = authorize User.find(params[:user_id]), policy_class: EmailAddressPolicy
check_privilege(@user)
if User.authenticate(@user.name, params[:user][:password]) if User.authenticate(@user.name, params[:user][:password])
@user.update(email_address_attributes: { address: params[:user][:email] }) @user.update(email_address_attributes: { address: params[:user][:email] })
@@ -37,17 +31,10 @@ class EmailsController < ApplicationController
end end
def verify def verify
email_id = Danbooru::MessageVerifier.new(:email_verification_key).verify(params[:email_verification_key]) @email_address = authorize EmailAddress.find_by_user_id!(params[:user_id])
@email_address = EmailAddress.find(email_id)
@email_address.update!(is_verified: true) @email_address.update!(is_verified: true)
flash[:notice] = "Email address verified" flash[:notice] = "Email address verified"
redirect_to @email_address.user redirect_to @email_address.user
end end
private
def check_privilege(user)
raise User::PrivilegeError unless user.id == CurrentUser.id || CurrentUser.is_admin?
end
end end

4
app/helpers/users_helper.rb
View File

@@ -15,4 +15,8 @@ module UsersHelper
verifier = ActiveSupport::MessageVerifier.new(Danbooru.config.email_key, serializer: JSON, digest: "SHA256") verifier = ActiveSupport::MessageVerifier.new(Danbooru.config.email_key, serializer: JSON, digest: "SHA256")
verifier.generate(user.id.to_s) verifier.generate(user.id.to_s)
end end
def email_verification_url(user)
verify_user_email_url(user, email_verification_key: user.email_address.verification_key)
end
end end

14
app/models/email_address.rb
View File

@@ -12,4 +12,18 @@ class EmailAddress < ApplicationRecord
self.normalized_address = EmailNormalizer.normalize(value) || address self.normalized_address = EmailNormalizer.normalize(value) || address
super super
end end
concerning :VerificationMethods do
def verifier
@verifier ||= Danbooru::MessageVerifier.new(:email_verification_key)
end
def verification_key
verifier.generate(id)
end
def valid_key?(key)
id == verifier.verified(key)
end
end
end end

14
app/policies/email_address_policy.rb Normal file
View File

@@ -0,0 +1,14 @@
class EmailAddressPolicy < ApplicationPolicy
def show?
record.user_id == user.id
end
def update?
# XXX here record is a user, not the email address.
record.id == user.id
end
def verify?
record.valid_key?(request.params[:email_verification_key])
end
end

2
app/views/user_mailer/email_change_confirmation.html.erb
View File

@@ -9,7 +9,7 @@
</p> </p>
<p> <p>
<%= link_to "Verify email address", verify_user_email_url(@user, email_verification_key: Danbooru::MessageVerifier.new(:email_verification_key).generate(@user.email_address.id)) %> <%= link_to "Verify email address", email_verification_url(@user) %>
</p> </p>
<p> <p>

2
app/views/user_mailer/welcome_user.html.erb
View File

@@ -8,7 +8,7 @@
</p> </p>
<p> <p>
<%= link_to "Verify email address", verify_user_email_url(@user, email_verification_key: Danbooru::MessageVerifier.new(:email_verification_key).generate(@user.email_address.id)) %> <%= link_to "Verify email address", email_verification_url(@user) %>
</p> </p>
<p> <p>

41
test/functional/emails_controller_test.rb
View File

@@ -1,9 +1,12 @@
require "test_helper" require "test_helper"
class EmailsControllerTest < ActionDispatch::IntegrationTest class EmailsControllerTest < ActionDispatch::IntegrationTest
include UsersHelper
context "in all cases" do context "in all cases" do
setup do setup do
@user = create(:user, email_address: build(:email_address, { address: "bob@ogres.net", is_verified: false })) @user = create(:user, email_address: build(:email_address, { address: "bob@ogres.net", is_verified: false }))
@other_user = create(:user, email_address: build(:email_address, { address: "alice@ogres.net", is_verified: false }))
end end
context "#show" do context "#show" do
@@ -11,6 +14,11 @@ class EmailsControllerTest < ActionDispatch::IntegrationTest
get_auth user_email_path(@user), @user, as: :json get_auth user_email_path(@user), @user, as: :json
assert_response :success assert_response :success
end end
should "not show email addresses to other users" do
get_auth user_email_path(@user), @other_user, as: :json
assert_response 403
end
end end
context "#edit" do context "#edit" do
@@ -20,13 +28,29 @@ class EmailsControllerTest < ActionDispatch::IntegrationTest
end end
end end
context "#create" do context "#update" do
context "with the correct password" do context "with the correct password" do
should "work" do should "update an existing address" do
put_auth user_email_path(@user), @user, params: { user: { password: "password", email: "abc@ogres.net" }} assert_difference("EmailAddress.count", 0) do
put_auth user_email_path(@user), @user, params: { user: { password: "password", email: "abc@ogres.net" }}
end
assert_redirected_to(settings_path) assert_redirected_to(settings_path)
assert_equal("abc@ogres.net", @user.reload.email_address.address) assert_equal("abc@ogres.net", @user.reload.email_address.address)
assert_equal(false, @user.email_address.is_verified)
assert_enqueued_email_with UserMailer, :email_change_confirmation, args: [@user]
end
should "create a new address" do
@user.email_address.destroy
assert_difference("EmailAddress.count", 1) do
put_auth user_email_path(@user), @user, params: { user: { password: "password", email: "abc@ogres.net" }}
end
assert_redirected_to(settings_path)
assert_equal("abc@ogres.net", @user.reload.email_address.address)
assert_equal(false, @user.reload.email_address.is_verified)
assert_enqueued_email_with UserMailer, :email_change_confirmation, args: [@user] assert_enqueued_email_with UserMailer, :email_change_confirmation, args: [@user]
end end
end end
@@ -46,12 +70,21 @@ class EmailsControllerTest < ActionDispatch::IntegrationTest
context "with a correct verification key" do context "with a correct verification key" do
should "mark the email address as verified" do should "mark the email address as verified" do
assert_equal(false, @user.reload.email_address.is_verified) assert_equal(false, @user.reload.email_address.is_verified)
get_auth verify_user_email_path(@user), @user, params: { email_verification_key: Danbooru::MessageVerifier.new(:email_verification_key).generate(@user.email_address.id) } get email_verification_url(@user)
assert_redirected_to @user assert_redirected_to @user
assert_equal(true, @user.reload.email_address.is_verified) assert_equal(true, @user.reload.email_address.is_verified)
end end
end end
context "with an incorrect verification key" do
should "not mark the email address as verified" do
get verify_user_email_path(@user, email_verification_key: @other_user.email_address.verification_key)
assert_response 403
assert_equal(false, @user.reload.email_address.is_verified)
end
end
end end
end end
end end