mirror of
https://github.com/discourse/discourse.git
synced 2024-11-27 03:10:46 -06:00
Check honeypot/challenge value on activation too
This commit is contained in:
parent
3eb0afe29b
commit
4f416bf6ce
@ -283,6 +283,7 @@ class UsersController < ApplicationController
|
||||
end
|
||||
|
||||
def perform_account_activation
|
||||
raise Discourse::InvalidAccess.new if honeypot_or_challenge_fails?(params)
|
||||
if @user = EmailToken.confirm(params[:token])
|
||||
|
||||
# Log in the user unless they need to be approved
|
||||
|
@ -6,6 +6,7 @@
|
||||
<meta name="description" content="">
|
||||
<%= render partial: "layouts/head" %>
|
||||
<%= raw SiteContent.content_for(:head) %>
|
||||
<%= yield(:no_js_head) %>
|
||||
</head>
|
||||
<body>
|
||||
<%- unless customization_disabled? %>
|
||||
|
@ -1,26 +1,40 @@
|
||||
<div id='simple-container'>
|
||||
|
||||
<h2><%= t 'activation.welcome_to', site_name: SiteSetting.title %></h2>
|
||||
<br/>
|
||||
<button class='btn' id='activate-account-button'><%= t 'activation.action' %></button>
|
||||
|
||||
<%= form_tag(perform_activate_account_path, method: :put, id: 'activate-account-form') do %>
|
||||
<%= hidden_field_tag 'password_confirmation' %>
|
||||
<%= hidden_field_tag 'challenge' %>
|
||||
<% end %>
|
||||
</div>
|
||||
|
||||
<%- content_for(:no_js_head) do %>
|
||||
<%= script "vendor" %>
|
||||
<%- end %>
|
||||
|
||||
<script language="javascript">
|
||||
(function() {
|
||||
var t1 = new Date().getTime(),
|
||||
button = document.getElementById('activate-account-button'),
|
||||
form = document.getElementById('activate-account-form');
|
||||
function activateAccount() {
|
||||
$('#activate-account-button').prop('disabled', true);
|
||||
$.ajax("/users/hp").then(function(hp) {
|
||||
$('#password_confirmation').val(hp.value);
|
||||
$('#challenge').val(hp.challenge.split("").reverse().join(""));
|
||||
$('#activate-account-form').submit();
|
||||
}).fail(function() {
|
||||
$('#activate-account-button').prop('disabled', false);
|
||||
console.log('test');
|
||||
});
|
||||
}
|
||||
|
||||
button.addEventListener('click', function() {
|
||||
var diff = new Date().getTime() - t1;
|
||||
var t0 = new Date().getTime();
|
||||
$('#activate-account-button').on('click', function() {
|
||||
var diff = new Date().getTime() - t0;
|
||||
|
||||
// Ensure the form has been visible for a few ms before allowing the
|
||||
// user to submit.
|
||||
if (diff > 50) {
|
||||
form.submit();
|
||||
activateAccount();
|
||||
}
|
||||
});
|
||||
})();
|
||||
|
@ -2,11 +2,6 @@ require 'spec_helper'
|
||||
|
||||
describe UsersController do
|
||||
|
||||
before do
|
||||
UsersController.any_instance.stubs(:honeypot_value).returns(nil)
|
||||
UsersController.any_instance.stubs(:challenge_value).returns(nil)
|
||||
end
|
||||
|
||||
describe '.show' do
|
||||
let!(:user) { log_in }
|
||||
|
||||
@ -78,6 +73,10 @@ describe UsersController do
|
||||
end
|
||||
|
||||
describe '.activate_account' do
|
||||
before do
|
||||
UsersController.any_instance.stubs(:honeypot_or_challenge_fails?).returns(false)
|
||||
end
|
||||
|
||||
context 'invalid token' do
|
||||
before do
|
||||
EmailToken.expects(:confirm).with('asdfasdf').returns(nil)
|
||||
@ -112,7 +111,14 @@ describe UsersController do
|
||||
user.expects(:enqueue_welcome_message).with('welcome_user').never
|
||||
put :perform_account_activation, token: 'asdfasdf'
|
||||
end
|
||||
end
|
||||
|
||||
context "honeypot" do
|
||||
it "raises an error if the honeypot is invalid" do
|
||||
UsersController.any_instance.stubs(:honeypot_or_challenge_fails?).returns(true)
|
||||
put :perform_account_activation, token: 'asdfasdf'
|
||||
response.should_not be_success
|
||||
end
|
||||
end
|
||||
|
||||
context 'response' do
|
||||
@ -137,7 +143,6 @@ describe UsersController do
|
||||
it "doesn't set @needs_approval" do
|
||||
assigns[:needs_approval].should be_blank
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
context 'user is not approved' do
|
||||
@ -268,7 +273,10 @@ describe UsersController do
|
||||
end
|
||||
|
||||
describe '#create' do
|
||||
|
||||
before do
|
||||
UsersController.any_instance.stubs(:honeypot_value).returns(nil)
|
||||
UsersController.any_instance.stubs(:challenge_value).returns(nil)
|
||||
SiteSetting.stubs(:allow_new_registrations).returns(true)
|
||||
@user = Fabricate.build(:user)
|
||||
@user.password = "strongpassword"
|
||||
|
Loading…
Reference in New Issue
Block a user