diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 0198d9378..479839a7e 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -140,83 +140,83 @@ class UsersController < ApplicationController def create - if params[:password_confirmation] != honeypot_value || params[:challenge] != challenge_value.try(:reverse) + if honeypot_or_challenge_fails?(params) # Don't give any indication that we caught you in the honeypot - return render(json: {success: true, active: false, message: I18n.t("login.activate_email", email: params[:email]) }) + honey_pot_response = { + success: true, + active: false, + message: I18n.t("login.activate_email", email: params[:email]) + } + return render(json: honey_pot_response) end - user = User.new - user.name = params[:name] - user.email = params[:email] - user.password = params[:password] - user.username = params[:username] + user = User.new_from_params(params) auth = session[:authentication] - if auth && auth[:email] == params[:email] && auth[:email_valid] + if valid_session_authentication?(auth, params[:email]) user.active = true end user.password_required! unless auth - DiscourseHub.register_nickname( user.username, user.email ) if user.valid? && SiteSetting.call_discourse_hub? + if user.valid? && SiteSetting.call_discourse_hub? + DiscourseHub.register_nickname(user.username, user.email) + end if user.save - msg = nil - active_result = user.active? - if active_result + active_user = user.active? + if active_user # If the user is active (remote authorized email) if SiteSetting.must_approve_users? msg = I18n.t("login.wait_approval") - active_result = false + active_user = false else log_on_user(user) user.enqueue_welcome_message('welcome_user') msg = I18n.t("login.active") end - else msg = I18n.t("login.activate_email", email: user.email) - Jobs.enqueue(:user_email, type: :signup, user_id: user.id, email_token: user.email_tokens.first.token) - end - - # Create auth records - if auth.present? - if auth[:twitter_user_id] && auth[:twitter_screen_name] && TwitterUserInfo.find_by_twitter_user_id(auth[:twitter_user_id]).nil? - TwitterUserInfo.create(user_id: user.id, screen_name: auth[:twitter_screen_name], twitter_user_id: auth[:twitter_user_id]) - end - - if auth[:facebook].present? && FacebookUserInfo.find_by_facebook_user_id(auth[:facebook][:facebook_user_id]).nil? - FacebookUserInfo.create!(auth[:facebook].merge(user_id: user.id)) - end - - if auth[:github_user_id] && auth[:github_screen_name] && GithubUserInfo.find_by_github_user_id(auth[:github_user_id]).nil? - GithubUserInfo.create(user_id: user.id, screen_name: auth[:github_screen_name], github_user_id: auth[:github_user_id]) - end + Jobs.enqueue( + :user_email, type: :signup, user_id: user.id, + email_token: user.email_tokens.first.token + ) end + # Create 3rd party auth records (Twitter, Facebook, GitHub) + create_third_party_auth_records(user, auth) if auth.present? # Clear authentication session. session[:authentication] = nil # JSON result - render json: {success: true, active: active_result, message: msg } + render json: { success: true, active: active_user, message: msg } else - render json: {success: false, message: I18n.t("login.errors", errors: user.errors.full_messages.join("\n"))} + render json: { + success: false, + message: I18n.t("login.errors", errors: user.errors.full_messages.join("\n")) + } end rescue ActiveRecord::StatementInvalid - render json: {success: false, message: I18n.t("login.something_already_taken")} + render json: { success: false, message: I18n.t("login.something_already_taken") } rescue DiscourseHub::NicknameUnavailable - render json: {success: false, message: I18n.t("login.errors", errors:I18n.t("login.not_available", suggestion: User.suggest_username(params[:username])) )} + render json: { success: false, + message: I18n.t( + "login.errors", + errors:I18n.t( + "login.not_available", suggestion: User.suggest_username(params[:username]) + ) + ) + } rescue RestClient::Forbidden - render json: {errors: [I18n.t("discourse_hub.access_token_problem")]} + render json: { errors: [I18n.t("discourse_hub.access_token_problem")] } end def get_honeypot_value render json: {value: honeypot_value, challenge: challenge_value} end - # all avatars are funneled through here def avatar @@ -224,13 +224,10 @@ class UsersController < ApplicationController # raise ActiveRecord::RecordNotFound user = User.select(:email).where(username_lower: params[:username].downcase).first - if user - # for now we only support gravatar in square (redirect cached for a day), later we can use x-sendfile and/or a cdn to serve local - size = params[:size].to_i - size = 64 if size == 0 - size = 10 if size < 10 - size = 128 if size > 128 - + if user.present? + # for now we only support gravatar in square (redirect cached for a day), + # later we can use x-sendfile and/or a cdn to serve local + size = determine_avatar_size(params[:size]) url = user.avatar_template.gsub("{size}", size.to_s) expires_in 1.day redirect_to url @@ -270,14 +267,18 @@ class UsersController < ApplicationController guardian.ensure_can_edit!(user) # Raise an error if the email is already in use - raise Discourse::InvalidParameters.new(:email) if User.where("lower(email) = ?", params[:email].downcase).exists? + if User.where("lower(email) = ?", params[:email].downcase).exists? + raise Discourse::InvalidParameters.new(:email) + end email_token = user.email_tokens.create(email: params[:email]) - Jobs.enqueue(:user_email, - to_address: params[:email], - type: :authorize_email, - user_id: user.id, - email_token: email_token.token) + Jobs.enqueue( + :user_email, + to_address: params[:email], + type: :authorize_email, + user_id: user.id, + email_token: email_token.token + ) render nothing: true end @@ -327,8 +328,8 @@ class UsersController < ApplicationController results = UserSearch.search term, topic_id - render json: { users: results.as_json( only: [ :username, :name ], - methods: :avatar_template ) } + render json: { users: results.as_json(only: [ :username, :name ], + methods: :avatar_template) } end private @@ -351,4 +352,58 @@ class UsersController < ApplicationController guardian.ensure_can_see!(user) user end + + def honeypot_or_challenge_fails?(params) + params[:password_confirmation] != honeypot_value || + params[:challenge] != challenge_value.try(:reverse) + end + + def valid_session_authentication?(auth, email) + auth && auth[:email] == email && auth[:email_valid] + end + + def create_third_party_auth_records(user, auth) + if twitter_auth?(auth) + TwitterUserInfo.create( + user_id: user.id, + screen_name: auth[:twitter_screen_name], + twitter_user_id: auth[:twitter_user_id] + ) + end + + if facebook_auth?(auth) + FacebookUserInfo.create!(auth[:facebook].merge(user_id: user.id)) + end + + if github_auth?(auth) + GithubUserInfo.create( + user_id: user.id, + screen_name: auth[:github_screen_name], + github_user_id: auth[:github_user_id] + ) + end + end + + def twitter_auth?(auth) + auth[:twitter_user_id] && auth[:twitter_screen_name] && + TwitterUserInfo.find_by_twitter_user_id(auth[:twitter_user_id]).nil? + end + + def facebook_auth?(auth) + auth[:facebook].present? && + FacebookUserInfo.find_by_facebook_user_id(auth[:facebook][:facebook_user_id]).nil? + end + + def github_auth?(auth) + auth[:github_user_id] && auth[:github_screen_name] && + GithubUserInfo.find_by_github_user_id(auth[:github_user_id]).nil? + end + + def determine_avatar_size(size) + size = size.to_i + size = 64 if size == 0 + size = 10 if size < 10 + size = 128 if size > 128 + size + end end diff --git a/app/models/user.rb b/app/models/user.rb index 760167e8d..600b6f280 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -102,6 +102,15 @@ class User < ActiveRecord::Base find_available_username_based_on(name) end + def self.new_from_params(params) + user = User.new + user.name = params[:name] + user.email = params[:email] + user.password = params[:password] + user.username = params[:username] + user + end + def self.create_for_email(email, opts={}) username = suggest_username(email) diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb index f3676dc0a..b99926fc7 100644 --- a/spec/controllers/users_controller_spec.rb +++ b/spec/controllers/users_controller_spec.rb @@ -277,12 +277,14 @@ describe UsersController do context 'when creating a non active user (unconfirmed email)' do it 'should enqueue a signup email' do Jobs.expects(:enqueue).with(:user_email, has_entries(type: :signup)) - xhr :post, :create, name: @user.name, username: @user.username, password: "strongpassword", email: @user.email + xhr :post, :create, name: @user.name, username: @user.username, + password: "strongpassword", email: @user.email end it "doesn't send a welcome email" do User.any_instance.expects(:enqueue_welcome_message).with('welcome_user').never - xhr :post, :create, name: @user.name, username: @user.username, password: "strongpassword", email: @user.email + xhr :post, :create, name: @user.name, username: @user.username, + password: "strongpassword", email: @user.email end end @@ -294,7 +296,8 @@ describe UsersController do it 'should enqueue a signup email' do User.any_instance.expects(:enqueue_welcome_message).with('welcome_user') - xhr :post, :create, name: @user.name, username: @user.username, password: "strongpassword", email: @user.email + xhr :post, :create, name: @user.name, username: @user.username, + password: "strongpassword", email: @user.email end it "should be logged in" do @@ -309,6 +312,7 @@ describe UsersController do ::JSON.parse(response.body)['active'].should == true end + context 'when approving of users is required' do before do SiteSetting.expects(:must_approve_users).returns(true) @@ -322,14 +326,51 @@ describe UsersController do it "doesn't return active in the JSON" do ::JSON.parse(response.body)['active'].should == false end - end + context 'authentication records for' do + + before do + SiteSetting.expects(:must_approve_users).returns(true) + end + + it 'should create twitter user info if none exists' do + twitter_auth = { twitter_user_id: 42, twitter_screen_name: "bruce" } + session[:authentication] = twitter_auth + TwitterUserInfo.expects(:find_by_twitter_user_id).returns(nil) + TwitterUserInfo.expects(:create) + + xhr :post, :create, name: @user.name, username: @user.username, + password: "strongpassword", email: @user.email + end + + it 'should create facebook user info if none exists' do + fb_auth = { facebook: { facebook_user_id: 42} } + session[:authentication] = fb_auth + FacebookUserInfo.expects(:find_by_facebook_user_id).returns(nil) + FacebookUserInfo.expects(:create!) + + xhr :post, :create, name: @user.name, username: @user.username, + password: "strongpassword", email: @user.email + end + + it 'should create github user info if none exists' do + gh_auth = { github_user_id: 2, github_screen_name: "bruce" } + session[:authentication] = gh_auth + GithubUserInfo.expects(:find_by_github_user_id).returns(nil) + GithubUserInfo.expects(:create) + + xhr :post, :create, name: @user.name, username: @user.username, + password: "strongpassword", email: @user.email + end + + end end context 'after success' do before do - xhr :post, :create, name: @user.name, username: @user.username, password: "strongpassword", email: @user.email + xhr :post, :create, name: @user.name, username: @user.username, + password: "strongpassword", email: @user.email end it 'should succeed' do @@ -403,13 +444,22 @@ describe UsersController do it_should_behave_like 'failed signup' end - context 'when InvalidStatement is raised' do - before do - User.any_instance.stubs(:save).raises(ActiveRecord::StatementInvalid) + context 'when an Exception is raised' do + + [ ActiveRecord::StatementInvalid, + DiscourseHub::NicknameUnavailable, + RestClient::Forbidden ].each do |exception| + before { User.any_instance.stubs(:save).raises(exception) } + + let(:create_params) { + { name: @user.name, username: @user.username, + password: "strongpassword", email: @user.email} + } + + it_should_behave_like 'failed signup' end - let(:create_params) { {name: @user.name, username: @user.username, password: "strongpassword", email: @user.email} } - it_should_behave_like 'failed signup' end + end context '.username' do @@ -704,7 +754,9 @@ describe UsersController do context 'not logged in' do it 'raises an error when not logged in' do - lambda { xhr :put, :update, username: 'somename' }.should raise_error(Discourse::NotLoggedIn) + expect do + xhr :put, :update, username: 'somename' + end.to raise_error(Discourse::NotLoggedIn) end end @@ -735,7 +787,6 @@ describe UsersController do end end end - end describe "search_users" do