diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb index c9cefe8c7..dec06541b 100644 --- a/app/controllers/account_controller.rb +++ b/app/controllers/account_controller.rb @@ -50,6 +50,10 @@ class AccountController < ApplicationController return end @user = @token.user + unless @user && @user.active? + redirect_to home_url + return + end if request.post? @user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation] if @user.save diff --git a/test/functional/account_controller_test.rb b/test/functional/account_controller_test.rb index 2c1310695..f48e4b3a6 100644 --- a/test/functional/account_controller_test.rb +++ b/test/functional/account_controller_test.rb @@ -186,4 +186,58 @@ class AccountControllerTest < ActionController::TestCase assert_response :success end end + + def test_get_lost_password_with_token_should_display_the_password_recovery_form + user = User.find(2) + token = Token.create!(:action => 'recovery', :user => user) + + get :lost_password, :token => token.value + assert_response :success + assert_template 'password_recovery' + + assert_select 'input[type=hidden][name=token][value=?]', token.value + end + + def test_get_lost_password_with_invalid_token_should_redirect + get :lost_password, :token => "abcdef" + assert_redirected_to '/' + end + + def test_post_lost_password_with_token_should_change_the_user_password + user = User.find(2) + token = Token.create!(:action => 'recovery', :user => user) + + post :lost_password, :token => token.value, :new_password => 'newpass', :new_password_confirmation => 'newpass' + assert_redirected_to '/login' + user.reload + assert user.check_password?('newpass') + assert_nil Token.find_by_id(token.id), "Token was not deleted" + end + + def test_post_lost_password_with_token_for_non_active_user_should_fail + user = User.find(2) + token = Token.create!(:action => 'recovery', :user => user) + user.lock! + + post :lost_password, :token => token.value, :new_password => 'newpass', :new_password_confirmation => 'newpass' + assert_redirected_to '/' + assert ! user.check_password?('newpass') + end + + def test_post_lost_password_with_token_and_password_confirmation_failure_should_redisplay_the_form + user = User.find(2) + token = Token.create!(:action => 'recovery', :user => user) + + post :lost_password, :token => token.value, :new_password => 'newpass', :new_password_confirmation => 'wrongpass' + assert_response :success + assert_template 'password_recovery' + assert_not_nil Token.find_by_id(token.id), "Token was deleted" + + assert_select 'input[type=hidden][name=token][value=?]', token.value + end + + def test_post_lost_password_with_invalid_token_should_redirect + post :lost_password, :token => "abcdef", :new_password => 'newpass', :new_password_confirmation => 'newpass' + assert_redirected_to '/' + end end