661a7e5e2d
Avoid Sentry exceptions when attackers try to stuff invalid emails. The browser performs form field validation that should normally prevent this from occurring, so we just return 422 without validation error messages. See similar change in #1996 for sign-in and sign-up
98 lines
3.3 KiB
Ruby
98 lines
3.3 KiB
Ruby
require "test_helper"
|
|
|
|
class JoinCodesControllerTest < ActionDispatch::IntegrationTest
|
|
setup do
|
|
@account = accounts("37s")
|
|
@join_code = account_join_codes(:"37s")
|
|
end
|
|
|
|
test "new" do
|
|
get join_path(code: @join_code.code, script_name: @account.slug)
|
|
|
|
assert_response :success
|
|
assert_in_body "37signals"
|
|
end
|
|
|
|
test "new with an invalid code" do
|
|
get join_path(code: "INVALID-CODE", script_name: @account.slug)
|
|
|
|
assert_response :not_found
|
|
end
|
|
|
|
test "new with an inactive code" do
|
|
@join_code.update!(usage_count: @join_code.usage_limit)
|
|
|
|
get join_path(code: @join_code.code, script_name: @account.slug)
|
|
|
|
assert_response :gone
|
|
assert_in_body "That code is all used up"
|
|
end
|
|
|
|
test "create" do
|
|
assert_difference -> { Identity.count }, 1 do
|
|
assert_difference -> { User.count }, 1 do
|
|
post join_path(code: @join_code.code, script_name: @account.slug), params: { email_address: "new_user@example.com" }
|
|
end
|
|
end
|
|
|
|
assert_redirected_to session_magic_link_url(script_name: nil)
|
|
assert_equal new_users_verification_url(script_name: @account.slug), session[:return_to_after_authenticating]
|
|
end
|
|
|
|
test "create for existing identity" do
|
|
identity = identities(:jz)
|
|
sign_in_as :jz
|
|
|
|
assert identity.users.exists?(account: @account), "JZ should be a member of 37s for this test"
|
|
assert identity.users.find_by!(account: @account).setup?, "JZ's user should be setup for this test"
|
|
|
|
assert_no_difference -> { Identity.count } do
|
|
assert_no_difference -> { User.count } do
|
|
post join_path(code: @join_code.code, script_name: @account.slug), params: { email_address: identity.email_address }
|
|
end
|
|
end
|
|
|
|
assert_redirected_to landing_url(script_name: @account.slug)
|
|
end
|
|
|
|
test "create for signed-in identity without a user in the account redirects to verification" do
|
|
identity = identities(:mike)
|
|
sign_in_as :mike
|
|
|
|
assert_not identity.users.exists?(account: @account), "Mike should not be a member of 37s for this test"
|
|
|
|
assert_no_difference -> { Identity.count } do
|
|
assert_difference -> { User.count }, 1 do
|
|
post join_path(code: @join_code.code, script_name: @account.slug), params: { email_address: identity.email_address }
|
|
end
|
|
end
|
|
|
|
assert_redirected_to new_users_verification_url(script_name: @account.slug)
|
|
end
|
|
|
|
test "create for different identity terminates existing session" do
|
|
sign_in_as :kevin
|
|
|
|
assert_difference -> { Identity.count }, 1 do
|
|
assert_difference -> { User.count }, 1 do
|
|
post join_path(code: @join_code.code, script_name: @account.slug), params: { email_address: "new_user@example.com" }
|
|
end
|
|
end
|
|
|
|
assert_redirected_to session_magic_link_url(script_name: nil)
|
|
assert_not_predicate cookies[:session_token], :present?
|
|
end
|
|
|
|
test "create with invalid email address" do
|
|
# Avoid Sentry exceptions when attackers try to stuff invalid emails into the system
|
|
without_action_dispatch_exception_handling do
|
|
assert_no_difference -> { Identity.count } do
|
|
assert_no_difference -> { User.count } do
|
|
post join_path(code: @join_code.code, script_name: @account.slug), params: { email_address: "not-a-valid-email" }
|
|
end
|
|
end
|
|
assert_response :unprocessable_entity
|
|
end
|
|
end
|
|
end
|