IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

FIX: Password required flag should be cleared whenever clearing the raw password (#5384)

Browse Source
This commit is contained in:
Vinoth Kannan 2017-12-01 09:49:24 +05:30 committed by Sam
parent 9876f3d0ee
commit 7f2eeaf767
7 changed files with 38 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
app/models/user.rb
View File

@ -452,6 +452,10 @@ class User < ActiveRecord::Base
!!@password_required !!@password_required
end end
def password_validation_required?
password_required? || @raw_password.present?
end
def has_password? def has_password?
password_hash.present? password_hash.present?
end end
@ -1029,6 +1033,7 @@ class User < ActiveRecord::Base
UserAuthToken.where(user_id: id).destroy_all UserAuthToken.where(user_id: id).destroy_all
# We should not carry this around after save # We should not carry this around after save
@raw_password = nil @raw_password = nil
@password_required = false
end end
end end

3
lib/validators/password_validator.rb
View File

@ -3,7 +3,8 @@ require_dependency "common_passwords/common_passwords"
class PasswordValidator < ActiveModel::EachValidator class PasswordValidator < ActiveModel::EachValidator
def validate_each(record, attribute, value) def validate_each(record, attribute, value)
return unless record.password_required? return unless record.password_validation_required?
if value.nil? if value.nil?
record.errors.add(attribute, :blank) record.errors.add(attribute, :blank)
elsif value.length < SiteSetting.min_admin_password_length && (record.admin? || is_developer?(record.email)) elsif value.length < SiteSetting.min_admin_password_length && (record.admin? || is_developer?(record.email))

24
spec/components/validators/password_validator_spec.rb
View File

@ -134,6 +134,19 @@ describe PasswordValidator do
validate validate
expect(record.errors[:password]).to include(password_error_message(:same_as_current)) expect(record.errors[:password]).to include(password_error_message(:same_as_current))
end end
it "validation required if password is required" do
expect(record.password_validation_required?).to eq(true)
end
it "validation not required after save until a new password is set" do
@password = "myoldpassword"
record.save!
record.reload
expect(record.password_validation_required?).to eq(false)
record.password = "mynewpassword"
expect(record.password_validation_required?).to eq(true)
end
end end
context "password not required" do context "password not required" do
@ -144,6 +157,17 @@ describe PasswordValidator do
validate validate
expect(record.errors[:password]).not_to be_present expect(record.errors[:password]).not_to be_present
end end
it "validation required if a password is set" do
@password = "mygameshow"
expect(record.password_validation_required?).to eq(true)
end
it "adds an error even password not required" do
@password = "p"
validate
expect(record.errors[:password]).to be_present
end
end end
end end

8
spec/controllers/session_controller_spec.rb
View File

@ -302,7 +302,7 @@ describe SessionController do
@sso.sso_secret = SiteSetting.sso_secret @sso.sso_secret = SiteSetting.sso_secret
@sso.return_sso_url = "http://somewhere.over.rainbow/sso" @sso.return_sso_url = "http://somewhere.over.rainbow/sso"
@user = Fabricate(:user, password: "frogs", active: true, admin: true) @user = Fabricate(:user, password: "myfrogs123ADMIN", active: true, admin: true)
group = Fabricate(:group) group = Fabricate(:group)
group.add(@user) group.add(@user)
@user.reload @user.reload
@ -314,7 +314,7 @@ describe SessionController do
expect(response).to redirect_to("/login") expect(response).to redirect_to("/login")
post :create, post :create,
params: { login: @user.username, password: "frogs" }, params: { login: @user.username, password: "myfrogs123ADMIN" },
format: :json, format: :json,
xhr: true xhr: true
@ -422,7 +422,7 @@ describe SessionController do
@sso.sso_secret = SiteSetting.sso_secret @sso.sso_secret = SiteSetting.sso_secret
@sso.return_sso_url = "http://somewhere.over.rainbow/sso" @sso.return_sso_url = "http://somewhere.over.rainbow/sso"
@user = Fabricate(:user, password: "frogs", active: true, admin: true) @user = Fabricate(:user, password: "myfrogs123ADMIN", active: true, admin: true)
EmailToken.update_all(confirmed: true) EmailToken.update_all(confirmed: true)
end end
@ -431,7 +431,7 @@ describe SessionController do
expect(response).to redirect_to("/login") expect(response).to redirect_to("/login")
post :create, post :create,
params: { login: @user.username, password: "frogs" }, params: { login: @user.username, password: "myfrogs123ADMIN" },
format: :json, format: :json,
xhr: true xhr: true

4
spec/fabricators/user_fabricator.rb
View File

@ -26,14 +26,14 @@ Fabricator(:evil_trout, from: :user) do
name 'Evil Trout' name 'Evil Trout'
username 'eviltrout' username 'eviltrout'
email 'eviltrout@somewhere.com' email 'eviltrout@somewhere.com'
password 'imafish' password 'imafish123'
end end
Fabricator(:walter_white, from: :user) do Fabricator(:walter_white, from: :user) do
name 'Walter White' name 'Walter White'
username 'heisenberg' username 'heisenberg'
email 'wwhite@bluemeth.com' email 'wwhite@bluemeth.com'
password 'letscook' password 'letscook123'
end end
Fabricator(:inactive_user, from: :user) do Fabricator(:inactive_user, from: :user) do

2
spec/models/user_spec.rb
View File

@ -644,7 +644,7 @@ describe User do
UserAuthToken.generate!(user_id: @user.id) UserAuthToken.generate!(user_id: @user.id)
@user.password = "passwordT" @user.password = "passwordT0"
@user.save! @user.save!
# must expire old token on password change # must expire old token on password change

4
spec/requests/groups_controller_spec.rb
View File

@ -89,10 +89,6 @@ describe GroupsController do
) )
end end
before do
sign_in(user)
end
context "when user is group owner" do context "when user is group owner" do
before do before do
group.add_owner(user) group.add_owner(user)