94e125709c
Add a Restricted user level. Restricted users are level 10, below Members. New users start out as Restricted if they sign up from a proxy or an IP recently used by another user. Restricted users can't update or edit any public content on the site until they verify their email address, at which point they're promoted to Member. Restricted users are only allowed to do personal actions like keep favorites, keep favgroups and saved searches, mark dmails as read or deleted, or mark forum posts as read. The restricted state already existed before, the only change here is that now it's an actual user level instead of a hidden state. Before it was based on two hidden flags on the user, the `requires_verification` flag (set when a user signs up from a proxy, etc), and the `is_verified` flag (set after the user verifies their email). Making it a user level means that now the Restricted status will be shown publicly. Introducing a new level below Member means that we have to change every `is_member?` check to `!is_anonymous` for every place where we used `is_member?` to check that the current user is logged in.
227 lines
7.9 KiB
Ruby
227 lines
7.9 KiB
Ruby
require "test_helper"
|
|
|
|
class EmailsControllerTest < ActionDispatch::IntegrationTest
|
|
include UsersHelper
|
|
|
|
context "in all cases" do
|
|
setup do
|
|
@user = create(:user, email_address: build(:email_address, { address: "bob@ogres.net", is_verified: false }))
|
|
@other_user = create(:user, email_address: build(:email_address, { address: "alice@ogres.net", is_verified: false }))
|
|
@restricted_user = create(:restricted_user, email_address: build(:email_address, { is_verified: false }))
|
|
end
|
|
|
|
context "#index" do
|
|
should "not let regular users see emails belonging to other users" do
|
|
get_auth emails_path, @user
|
|
assert_response 403
|
|
end
|
|
|
|
should "let mods see emails belonging to themselves and all users below mod level" do
|
|
@mod1 = create(:moderator_user, email_address: build(:email_address))
|
|
@mod2 = create(:moderator_user, email_address: build(:email_address))
|
|
|
|
get_auth emails_path, @mod1
|
|
|
|
assert_response :success
|
|
assert_select "#email-address-#{@user.email_address.id}", count: 1
|
|
assert_select "#email-address-#{@other_user.email_address.id}", count: 1
|
|
assert_select "#email-address-#{@mod1.email_address.id}", count: 1
|
|
assert_select "#email-address-#{@mod2.email_address.id}", count: 0
|
|
end
|
|
end
|
|
|
|
context "#show" do
|
|
should "render" do
|
|
get_auth user_email_path(@user), @user, as: :json
|
|
assert_response :success
|
|
end
|
|
|
|
should "not show email addresses to other users" do
|
|
get_auth user_email_path(@user), @other_user, as: :json
|
|
assert_response 403
|
|
end
|
|
end
|
|
|
|
context "#edit" do
|
|
context "for a user with an email address" do
|
|
should "render" do
|
|
get_auth edit_user_email_path(@user), @user
|
|
assert_equal true, @user.email_address.present?
|
|
assert_response :success
|
|
end
|
|
end
|
|
|
|
context "for a user without an email address" do
|
|
should "render" do
|
|
@user.email_address.destroy!
|
|
@user.reload_email_address
|
|
get_auth edit_user_email_path(@user), @user
|
|
|
|
assert_equal false, @user.email_address.present?
|
|
assert_response :success
|
|
assert_select "h1", text: "Add Email"
|
|
end
|
|
end
|
|
|
|
context "for a restricted user" do
|
|
should "render" do
|
|
get_auth edit_user_email_path(@restricted_user), @restricted_user
|
|
assert_response :success
|
|
end
|
|
end
|
|
|
|
context "for an unauthorized user" do
|
|
should "render" do
|
|
get_auth edit_user_email_path(@user), @other_user
|
|
assert_response 403
|
|
end
|
|
end
|
|
end
|
|
|
|
context "#update" do
|
|
context "with the correct password" do
|
|
should "update an existing address" do
|
|
assert_difference("EmailAddress.count", 0) do
|
|
put_auth user_email_path(@user), @user, params: { user: { password: "password", email: "abc@ogres.net" }}
|
|
end
|
|
|
|
assert_redirected_to(settings_path)
|
|
assert_equal("abc@ogres.net", @user.reload.email_address.address)
|
|
assert_equal(false, @user.email_address.is_verified)
|
|
assert_enqueued_email_with UserMailer, :email_change_confirmation, args: [@user], queue: "default"
|
|
end
|
|
|
|
should "create a new address" do
|
|
@user.email_address.destroy
|
|
|
|
assert_difference("EmailAddress.count", 1) do
|
|
put_auth user_email_path(@user), @user, params: { user: { password: "password", email: "abc@ogres.net" }}
|
|
end
|
|
|
|
assert_redirected_to(settings_path)
|
|
assert_equal("abc@ogres.net", @user.reload.email_address.address)
|
|
assert_equal(false, @user.reload.email_address.is_verified)
|
|
assert_enqueued_email_with UserMailer, :email_change_confirmation, args: [@user], queue: "default"
|
|
end
|
|
end
|
|
|
|
context "with the incorrect password" do
|
|
should "not work" do
|
|
put_auth user_email_path(@user), @user, params: { user: { password: "passwordx", email: "abc@ogres.net" }}
|
|
|
|
assert_response :success
|
|
assert_equal("bob@ogres.net", @user.reload.email_address.address)
|
|
assert_no_emails
|
|
end
|
|
end
|
|
end
|
|
|
|
context "#verify" do
|
|
context "with a correct verification key" do
|
|
should "mark the email address as verified" do
|
|
assert_equal(false, @user.reload.email_address.is_verified)
|
|
get email_verification_url(@user)
|
|
|
|
assert_redirected_to @user
|
|
assert_equal(true, @user.reload.email_address.is_verified)
|
|
end
|
|
end
|
|
|
|
context "with an incorrect verification key" do
|
|
should "not mark the email address as verified" do
|
|
get verify_user_email_path(@user, email_verification_key: @other_user.email_address.verification_key)
|
|
|
|
assert_response 403
|
|
assert_equal(false, @user.reload.email_address.is_verified)
|
|
end
|
|
end
|
|
|
|
context "for a Restricted user" do
|
|
context "with a nondisposable email address" do
|
|
should "unrestrict the user's account" do
|
|
Danbooru.config.stubs(:email_domain_verification_list).returns(["gmail.com"])
|
|
@restricted_user.email_address.update!(address: "test@gmail.com")
|
|
|
|
get email_verification_url(@restricted_user)
|
|
|
|
assert_redirected_to @restricted_user
|
|
assert_equal(true, @restricted_user.reload.email_address.is_verified)
|
|
assert_equal(false, @restricted_user.is_restricted?)
|
|
assert_equal(true, @restricted_user.is_member?)
|
|
end
|
|
end
|
|
|
|
context "with a disposable email address" do
|
|
should "leave the user's account restricted" do
|
|
Danbooru.config.stubs(:email_domain_verification_list).returns(["gmail.com"])
|
|
@restricted_user.email_address.update!(address: "test@mailinator.com")
|
|
|
|
get email_verification_url(@restricted_user)
|
|
|
|
assert_redirected_to @restricted_user
|
|
assert_equal(true, @restricted_user.reload.email_address.is_verified)
|
|
assert_equal(true, @restricted_user.is_restricted?)
|
|
assert_equal(false, @restricted_user.is_member?)
|
|
end
|
|
end
|
|
end
|
|
|
|
context "for a Gold user" do
|
|
should "not change the user's level" do
|
|
@user = create(:gold_user, email_address: build(:email_address, { address: "test@gmail.com", is_verified: false }))
|
|
Danbooru.config.stubs(:email_domain_verification_list).returns(["gmail.com"])
|
|
|
|
get email_verification_url(@user)
|
|
|
|
assert_redirected_to @user
|
|
assert_equal(true, @user.reload.email_address.is_verified)
|
|
assert_equal(false, @user.is_restricted?)
|
|
assert_equal(true, @user.is_gold?)
|
|
end
|
|
end
|
|
|
|
context "for a user without an email address" do
|
|
should "redirect to the add email page" do
|
|
@user.email_address.destroy!
|
|
get_auth verify_user_email_path(@user), @user
|
|
assert_redirected_to edit_user_email_path(@user)
|
|
end
|
|
end
|
|
|
|
context "for a user with an unverified email address" do
|
|
should "show the resend confirmation email page" do
|
|
get_auth verify_user_email_path(@user), @user
|
|
assert_response :success
|
|
end
|
|
end
|
|
|
|
context "for an unauthorized user" do
|
|
should "fail" do
|
|
get_auth verify_user_email_path(@user), @other_user
|
|
assert_response 403
|
|
end
|
|
end
|
|
end
|
|
|
|
context "#send_confirmation" do
|
|
context "for an authorized user" do
|
|
should "resend the confirmation email" do
|
|
post_auth send_confirmation_user_email_path(@user), @user
|
|
|
|
assert_redirected_to @user
|
|
assert_enqueued_emails 1
|
|
end
|
|
end
|
|
|
|
context "for an unauthorized user" do
|
|
should "fail" do
|
|
post_auth send_confirmation_user_email_path(@user), @other_user
|
|
|
|
assert_response 403
|
|
assert_no_enqueued_emails
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|