redirect to same path after use signup (#3849)

La page d'inscription résiste mieux à la possibilité de vérifier si une adresse email est déjà enregistrée comme compte
2019-05-13 15:44:24 +02:00 · 2019-05-13 15:44:24 +02:00 · d7828e9a1e
commit d7828e9a1e
parent 3fc58fc816 b1f11c0b0a
2 changed files with 15 additions and 8 deletions
--- a/app/controllers/users/registrations_controller.rb
+++ b/app/controllers/users/registrations_controller.rb
@ -26,12 +26,10 @@ class Users::RegistrationsController < Devise::RegistrationsController
    if existing_user.present?
      if existing_user.confirmed?
        UserMailer.new_account_warning(existing_user).deliver_later
-        flash.notice = t('devise.registrations.signed_up_but_unconfirmed')
-        return redirect_to root_path
      else
        existing_user.resend_confirmation_instructions
-        return redirect_to after_inactive_sign_up_path_for(existing_user)
      end
+      return redirect_to after_inactive_sign_up_path_for(existing_user)
    end

    super
--- a/spec/controllers/users/registrations_controller_spec.rb
+++ b/spec/controllers/users/registrations_controller_spec.rb
@ -74,9 +74,13 @@ describe Users::RegistrationsController, type: :controller do

        before { subject }

-        it { expect(response).to redirect_to(root_path) }
-        it { expect(flash.notice).to eq(I18n.t('devise.registrations.signed_up_but_unconfirmed')) }
-        it { expect(UserMailer).to have_received(:new_account_warning) }
+        it 'sends an email to the user, stating that the account already exists' do
+          expect(UserMailer).to have_received(:new_account_warning)
+        end
+
+        it 'avoids leaking information about the account existence, by redirecting to the same page than normal signup' do
+          expect(response).to redirect_to(new_user_confirmation_path(user: { email: user[:email] }))
+        end
      end

      context 'and the user is not confirmed' do
@ -87,8 +91,13 @@ describe Users::RegistrationsController, type: :controller do
          subject
        end

-        it { expect(response).to redirect_to(new_user_confirmation_path(user: { email: user[:email] })) }
-        it { expect(UserMailer).not_to have_received(:new_account_warning) }
+        it 'does not send a warning email' do
+          expect(UserMailer).not_to have_received(:new_account_warning)
+        end
+
+        it 'avoids leaking information about the account existence, by redirecting to the same page than normal signup' do
+          expect(response).to redirect_to(new_user_confirmation_path(user: { email: user[:email] }))
+        end
      end
    end
  end