users: require email verification for signups from proxies.

Require users who signup using proxies to verify their email addresses before they can perform any edits. For verification purposes, the email must be a nondisposable address from a whitelist of trusted email providers.
2020-03-24 02:18:37 -05:00
parent 5faa323729
commit b7bd6c8fdd
10 changed files with 83 additions and 2 deletions
--- a/test/functional/emails_controller_test.rb
+++ b/test/functional/emails_controller_test.rb
@@ -85,6 +85,30 @@ class EmailsControllerTest < ActionDispatch::IntegrationTest
          assert_equal(false, @user.reload.email_address.is_verified)
        end
      end
+
+      context "with a nondisposable email address" do
+        should "mark the user as verified" do
+          Danbooru.config.stubs(:email_domain_verification_list).returns(["gmail.com"])
+          @user.email_address.update!(address: "test@gmail.com")
+          get email_verification_url(@user)
+
+          assert_redirected_to @user
+          assert_equal(true, @user.reload.email_address.is_verified)
+          assert_equal(true, @user.is_verified)
+        end
+      end
+
+      context "with a disposable email address" do
+        should "not mark the user as verified" do
+          Danbooru.config.stubs(:email_domain_verification_list).returns([])
+          @user.email_address.update!(address: "test@mailinator.com")
+          get email_verification_url(@user)
+
+          assert_redirected_to @user
+          assert_equal(true, @user.reload.email_address.is_verified)
+          assert_equal(false, @user.is_verified)
+        end
+      end
    end
  end
 end
--- a/test/functional/posts_controller_test.rb
+++ b/test/functional/posts_controller_test.rb
@@ -311,6 +311,13 @@ class PostsControllerTest < ActionDispatch::IntegrationTest
        assert_response 403
        assert_not_equal("blah", @post.reload.tag_string)
      end
+
+      should "not allow unverified users to update posts" do
+        @user.update!(requires_verification: true, is_verified: false)
+        put_auth post_path(@post), @user, params: { post: { tag_string: "blah" }}
+        assert_response 403
+        assert_not_equal("blah", @post.reload.tag_string)
+      end
    end

    context "revert action" do
--- a/test/functional/users_controller_test.rb
+++ b/test/functional/users_controller_test.rb
@@ -151,6 +151,24 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
        end
      end

+      should "mark users signing up from proxies as requiring verification" do
+        skip unless IpLookup.enabled?
+        self.remote_addr = "1.1.1.1"
+        post users_path, params: { user: { name: "xxx", password: "xxxxx1", password_confirmation: "xxxxx1" }}
+
+        assert_redirected_to User.last
+        assert_equal(true, User.last.requires_verification)
+      end
+
+      should "not mark users signing up from non-proxies as requiring verification" do
+        skip unless IpLookup.enabled?
+        self.remote_addr = "187.37.226.17"
+        post users_path, params: { user: { name: "xxx", password: "xxxxx1", password_confirmation: "xxxxx1" }}
+
+        assert_redirected_to User.last
+        assert_equal(false, User.last.requires_verification)
+      end
+
      context "with sockpuppet validation enabled" do
        setup do
          Danbooru.config.unstub(:enable_sock_puppet_validation?)