Anonymous users are now silently renamed upon signup in case of conflict

This commit is contained in:
Ruben Vereecken 2014-07-10 18:00:32 +02:00
parent 6e593b2ec0
commit 94210fc461
3 changed files with 68 additions and 27 deletions

View file

@ -30,6 +30,9 @@ UserSchema.methods.isAdmin = ->
p = @get('permissions') p = @get('permissions')
return p and 'admin' in p return p and 'admin' in p
UserSchema.methods.isAnonymous = ->
@get 'anonymous'
UserSchema.methods.trackActivity = (activityName, increment) -> UserSchema.methods.trackActivity = (activityName, increment) ->
now = new Date() now = new Date()
increment ?= parseInt increment or 1 increment ?= parseInt increment or 1
@ -109,6 +112,30 @@ UserSchema.statics.updateMailChimp = (doc, callback) ->
mc?.lists.subscribe params, onSuccess, onFailure mc?.lists.subscribe params, onSuccess, onFailure
UserSchema.statics.unconflictName = unconflictName = (name, done) ->
User.findOne {slug: _.str.slugify(name)}, (err, otherUser) ->
return done err if err?
return done null, name unless otherUser
suffix = _.random(0, 9) + ''
unconflictName name + suffix, done
UserSchema.methods.register = (done) ->
@set('anonymous', false)
@set('permissions', ['admin']) if not isProduction
if (name = @get 'name')? and name isnt ''
unconflictName name, (err, uniqueName) =>
return done err if err
@set 'name', uniqueName
done()
else done()
data =
email_id: sendwithus.templates.welcome_email
recipient:
address: @get 'email'
sendwithus.api.send data, (err, result) ->
log.error "sendwithus post-save error: #{err}, result: #{result}" if err
UserSchema.pre('save', (next) -> UserSchema.pre('save', (next) ->
@set('emailLower', @get('email')?.toLowerCase()) @set('emailLower', @get('email')?.toLowerCase())
@set('nameLower', @get('name')?.toLowerCase()) @set('nameLower', @get('name')?.toLowerCase())
@ -116,16 +143,10 @@ UserSchema.pre('save', (next) ->
if @get('password') if @get('password')
@set('passwordHash', User.hashPassword(pwd)) @set('passwordHash', User.hashPassword(pwd))
@set('password', undefined) @set('password', undefined)
if @get('email') and @get('anonymous') if @get('email') and @get('anonymous') # a user registers
@set('anonymous', false) @register next
@set('permissions', ['admin']) if not isProduction else
data = next()
email_id: sendwithus.templates.welcome_email
recipient:
address: @get 'email'
sendwithus.api.send data, (err, result) ->
log.error "sendwithus post-save error: #{err}, result: #{result}" if err
next()
) )
UserSchema.post 'save', (doc) -> UserSchema.post 'save', (doc) ->

View file

@ -104,7 +104,8 @@ UserHandler = class UserHandler extends Handler
return callback(null, req, user) unless req.body.name return callback(null, req, user) unless req.body.name
nameLower = req.body.name?.toLowerCase() nameLower = req.body.name?.toLowerCase()
return callback(null, req, user) unless nameLower return callback(null, req, user) unless nameLower
return callback(null, req, user) if nameLower is user.get('nameLower') and not user.get('anonymous') return callback(null, req, user) if user.get 'anonymous' # anonymous users can have any name
return callback(null, req, user) if nameLower is user.get('nameLower')
User.findOne({nameLower: nameLower, anonymous: false}).exec (err, otherUser) -> User.findOne({nameLower: nameLower, anonymous: false}).exec (err, otherUser) ->
log.error "Database error setting user name: #{err}" if err log.error "Database error setting user name: #{err}" if err
return callback(res: 'Database error.', code: 500) if err return callback(res: 'Database error.', code: 500) if err

View file

@ -110,24 +110,13 @@ describe 'POST /db/user', ->
it 'should allow multiple anonymous users with same name', (done) -> it 'should allow multiple anonymous users with same name', (done) ->
createAnonNameUser('Jim', done) createAnonNameUser('Jim', done)
it 'should not allow setting existing user name to anonymous user', (done) -> it 'should allow setting existing user name to anonymous user', (done) ->
createAnonUser = ->
request.post getURL('/auth/logout'), ->
request.get getURL('/auth/whoami'), ->
req = request.post(getURL('/db/user'), (err, response) ->
expect(response.statusCode).toBe(409)
done()
)
form = req.form()
form.append('name', 'Jim')
req = request.post(getURL('/db/user'), (err, response, body) -> req = request.post(getURL('/db/user'), (err, response, body) ->
expect(response.statusCode).toBe(200) expect(response.statusCode).toBe(200)
request.get getURL('/auth/whoami'), (request, response, body) -> request.get getURL('/auth/whoami'), (request, response, body) ->
res = JSON.parse(response.body) res = JSON.parse(response.body)
expect(res.anonymous).toBeFalsy() expect(res.anonymous).toBeFalsy()
createAnonUser() createAnonNameUser 'Jim', done
) )
form = req.form() form = req.form()
form.append('email', 'new@user.com') form.append('email', 'new@user.com')
@ -212,6 +201,39 @@ ghlfarghlarghlfarghlarghlfarghlarghlfarghlarghlfarghlarghlfarghlarghlfarghlarghl
form.append('email', 'New@email.com') form.append('email', 'New@email.com')
form.append('name', 'Wilhelm') form.append('name', 'Wilhelm')
it 'should not allow two users with the same name slug', (done) ->
loginSam (sam) ->
samsName = sam.get 'name'
sam.set 'name', 'admin'
request.put {uri:getURL(urlUser + '/' + sam.id), json: sam.toObject()}, (err, response) ->
expect(err).toBeNull()
expect(response.statusCode).toBe 409
sam.set 'name', samsName
done()
it 'should silently rename an anonymous user if their name conflicts upon signup', (done) ->
request.post getURL('/auth/logout'), ->
request.get getURL('/auth/whoami'), ->
req = request.post getURL('/db/user'), (err, response) ->
expect(response.statusCode).toBe(200)
request.get getURL('/auth/whoami'), (err, response) ->
expect(err).toBeNull()
guy = JSON.parse(response.body)
expect(guy.anonymous).toBeTruthy()
expect(guy.name).toEqual 'admin'
guy.email = 'blub@blub' # Email means registration
req = request.post {url: getURL('/db/user'), json: guy}, (err, response) ->
expect(err).toBeNull()
finalGuy = response.body
expect(finalGuy.anonymous).toBeFalsy()
expect(finalGuy.name).not.toEqual guy.name
expect(finalGuy.name.length).toBe guy.name.length + 1
done()
form = req.form()
form.append('name', 'admin')
describe 'GET /db/user', -> describe 'GET /db/user', ->
it 'logs in as admin', (done) -> it 'logs in as admin', (done) ->
@ -293,6 +315,3 @@ describe 'GET /db/user', ->