mirror of
https://github.com/lunaisnotaboy/mastodon.git
synced 2024-11-18 12:52:52 +00:00
964ae8eee5
Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
93 lines
2.3 KiB
Ruby
93 lines
2.3 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require 'rails_helper'
|
|
|
|
class FakeService; end
|
|
|
|
describe Api::BaseController do
|
|
controller do
|
|
def success
|
|
head 200
|
|
end
|
|
|
|
def error
|
|
FakeService.new
|
|
end
|
|
end
|
|
|
|
describe 'forgery protection' do
|
|
before do
|
|
routes.draw { post 'success' => 'api/base#success' }
|
|
end
|
|
|
|
it 'does not protect from forgery' do
|
|
ActionController::Base.allow_forgery_protection = true
|
|
post 'success'
|
|
expect(response).to have_http_status(200)
|
|
end
|
|
end
|
|
|
|
describe 'non-functional accounts handling' do
|
|
let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) }
|
|
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read') }
|
|
|
|
controller do
|
|
before_action :require_user!
|
|
end
|
|
|
|
before do
|
|
routes.draw { post 'success' => 'api/base#success' }
|
|
allow(controller).to receive(:doorkeeper_token) { token }
|
|
end
|
|
|
|
it 'returns http forbidden for unconfirmed accounts' do
|
|
user.update(confirmed_at: nil)
|
|
post 'success'
|
|
expect(response).to have_http_status(403)
|
|
end
|
|
|
|
it 'returns http forbidden for pending accounts' do
|
|
user.update(approved: false)
|
|
post 'success'
|
|
expect(response).to have_http_status(403)
|
|
end
|
|
|
|
it 'returns http forbidden for disabled accounts' do
|
|
user.update(disabled: true)
|
|
post 'success'
|
|
expect(response).to have_http_status(403)
|
|
end
|
|
|
|
it 'returns http forbidden for suspended accounts' do
|
|
user.account.suspend!
|
|
post 'success'
|
|
expect(response).to have_http_status(403)
|
|
end
|
|
end
|
|
|
|
describe 'error handling' do
|
|
ERRORS_WITH_CODES = {
|
|
ActiveRecord::RecordInvalid => 422,
|
|
Mastodon::ValidationError => 422,
|
|
ActiveRecord::RecordNotFound => 404,
|
|
Mastodon::UnexpectedResponseError => 503,
|
|
HTTP::Error => 503,
|
|
OpenSSL::SSL::SSLError => 503,
|
|
Mastodon::NotPermittedError => 403,
|
|
}
|
|
|
|
before do
|
|
routes.draw { get 'error' => 'api/base#error' }
|
|
end
|
|
|
|
ERRORS_WITH_CODES.each do |error, code|
|
|
it "Handles error class of #{error}" do
|
|
expect(FakeService).to receive(:new).and_raise(error)
|
|
|
|
get 'error'
|
|
expect(response).to have_http_status(code)
|
|
end
|
|
end
|
|
end
|
|
end
|