fix(users): don't expose email of accounts already confirmed

This commit is contained in:
Colin Darie 2024-07-29 11:40:27 +02:00
parent 7c51c38f15
commit a6554aa7bf
No known key found for this signature in database
GPG key ID: 4FB865FDBCA4BCC4
4 changed files with 37 additions and 3 deletions

View file

@ -13,9 +13,19 @@ class Users::ConfirmationsController < Devise::ConfirmationsController
# end # end
# GET /resource/confirmation?confirmation_token=abcdef # GET /resource/confirmation?confirmation_token=abcdef
# def show def show
# super super do
# end # When email was already confirmed, default is to render :new with a specific error.
# Because our :new is customized with the email and a form to resend a confirmation,
# we redirect to after confirmation page instead.
if resource.errors.of_kind?(:email, :already_confirmed)
respond_with_navigational(resource) do
flash.notice = t('.email_already_confirmed')
redirect_to after_confirmation_path_for(resource_name, resource) and return
end
end
end
end
# protected # protected

View file

@ -6,3 +6,7 @@ en:
sessions: sessions:
signed_in_multiple_profile: "You are connected ! You can switch between your multiple profiles : %{roles}." signed_in_multiple_profile: "You are connected ! You can switch between your multiple profiles : %{roles}."
signed_out: You are now disconnected. signed_out: You are now disconnected.
users:
confirmations:
show:
email_already_confirmed: 'Your account has already been activated.'

View file

@ -6,3 +6,7 @@ fr:
sessions: sessions:
signed_in_multiple_profile: "Vous êtes connecté(e) ! Vous pouvez à tout moment alterner entre vos différents profils : %{roles}." signed_in_multiple_profile: "Vous êtes connecté(e) ! Vous pouvez à tout moment alterner entre vos différents profils : %{roles}."
signed_out: Vous êtes maintenant déconnecté(e). signed_out: Vous êtes maintenant déconnecté(e).
users:
confirmations:
show:
email_already_confirmed: 'Votre compte a déjà été activé.'

View file

@ -51,5 +51,21 @@ describe Users::ConfirmationsController, type: :controller do
expect(subject).to redirect_to(new_user_session_path) expect(subject).to redirect_to(new_user_session_path)
end end
end end
context 'when account was already confirmed long time ago' do
let!(:user) { create(:user, confirmed_at: 3.hours.ago, confirmation_sent_at: 4.hours.ago, confirmation_token: "mytoken") }
render_views
subject do
get :show, params: { confirmation_token: confirmation_token }
end
it 'redirect and does not expose the email' do
expect(user).to be_confirmed
expect(subject).to redirect_to(new_user_session_path)
expect(subject.body).not_to include(user.email)
expect(flash.notice).to include("Votre compte a déjà été activé")
end
end
end end
end end