Disable password reset for unconfirmed users

2026-02-11 23:17:48 +00:00 · 2018-04-18 15:14:21 +01:00
parent 1782a8c700
commit 1f23402912
5 changed files with 55 additions and 26 deletions
--- a/app/assets/javascripts/darkswarm/controllers/authentication/forgot_controller.js.coffee
+++ b/app/assets/javascripts/darkswarm/controllers/authentication/forgot_controller.js.coffee
@@ -6,7 +6,14 @@ Darkswarm.controller "ForgotCtrl", ($scope, $http, $location, AuthenticationServ
    if $scope.spree_user.email != null
      $http.post("/user/spree_user/password", {spree_user: $scope.spree_user}).success (data)->
        $scope.sent = true
-      .error (data) ->
-        $scope.errors = t 'email_not_found'
+      .error (data, status) ->
+        $scope.errors = data.error
+        $scope.user_unconfirmed = (status == 401)
    else
      $scope.errors = t 'email_required'
+
+  $scope.resend_confirmation = ->
+    $http.post("/user/spree_user/confirmation", {spree_user: $scope.spree_user}).success (data)->
+      $scope.messages = t('devise.confirmations.send_instructions')
+    .error (data) ->
+      $scope.errors = t('devise.confirmations.failed_to_send')
--- a/app/assets/javascripts/templates/forgot.html.haml
+++ b/app/assets/javascripts/templates/forgot.html.haml
@@ -2,24 +2,28 @@
  %form{ ng: { controller: "ForgotCtrl", submit: "submit()" } }
    .row
      .large-12.columns
-        .alert-box.success.radius{"ng-show" => "sent"}
-          {{'password_reset_sent' | t}}
+        .alert-box.success{"ng-show" => "sent"}
+          {{ 'password_reset_sent' | t }}

-    %div{"ng-show" => "!sent"}
-      .alert-box.alert{"ng-show" => "errors != null"}
-        {{ errors }}
+        .alert-box.success{"ng-show" => "messages != null"}
+          {{ messages }}

-      .row
-        .large-12.columns
-          %label{for: "email"} {{'signup_email' | t}}
-          %input.title.input-text{name: "email",
-            type: "email",
-            id: "email",
-            tabindex: 1,
-            "ng-model" => "spree_user.email"}
-      .row
-        .large-12.columns
-          %input.button.primary{name: "commit",
-            tabindex: "3",
-            type: "submit",
-            value: "{{'reset_password' | t}}"}
+        .alert-box.alert{"ng-show" => "errors != null"}
+          {{ errors }}
+          %a{ng: {show: 'user_unconfirmed', click: 'resend_confirmation()'}}
+            = t('devise.confirmations.resend_confirmation_email')
+
+    .row
+      .large-12.columns
+        %label{for: "email"} {{'signup_email' | t}}
+        %input.title.input-text{name: "email",
+          type: "email",
+          id: "email",
+          tabindex: 1,
+          "ng-model" => "spree_user.email"}
+    .row
+      .large-12.columns
+        %input.button.primary{name: "commit",
+          tabindex: "3",
+          type: "submit",
+          value: "{{'reset_password' | t}}"}
--- a/app/controllers/user_passwords_controller.rb
+++ b/app/controllers/user_passwords_controller.rb
@@ -4,6 +4,8 @@ class UserPasswordsController < Spree::UserPasswordsController
  before_filter :set_admin_redirect, only: :edit

  def create
+    return if user_unconfirmed?
+
    self.resource = resource_class.send_reset_password_instructions(params[resource_name])

    if resource.errors.empty?
@@ -15,7 +17,7 @@ class UserPasswordsController < Spree::UserPasswordsController
          respond_with_navigational(resource) { render :new }
        end
        format.js do
-          render json: resource.errors, status: :unauthorized
+          render json: { error: t('email_not_found') }, status: :not_found
        end
      end
    end
@@ -26,4 +28,13 @@ class UserPasswordsController < Spree::UserPasswordsController
  def set_admin_redirect
    session["spree_user_return_to"] = params[:return_to] if params[:return_to]
  end
+
+  def user_unconfirmed?
+    user = Spree::User.find_by_email(params[:spree_user][:email])
+    if user && !user.confirmed?
+      render json: { error: t('email_unconfirmed') }, status: :unauthorized
+    end
+
+    user && !user.confirmed?
+  end
 end
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -1628,6 +1628,7 @@ See the %{link} to find out more about %{sitename}'s features and to start using
  november: "November"
  december: "December"
  email_not_found: "Email address not found"
+  email_unconfirmed: "You must confirm your email address before you can reset your password."
  email_required: "You must provide an email address"
  logging_in: "Hold on a moment, we're logging you in"
  signup_email: "Your email"
--- a/spec/controllers/user_passwords_controller_spec.rb
+++ b/spec/controllers/user_passwords_controller_spec.rb
@@ -3,6 +3,7 @@ require 'spree/api/testing_support/helpers'

 describe UserPasswordsController, type: :controller do
  let(:user) { create(:user) }
+  let(:unconfirmed_user) { create(:user, confirmed_at: nil) }

  before do
    @request.env["devise.mapping"] = Devise.mappings[:spree_user]
@@ -44,11 +45,16 @@ describe UserPasswordsController, type: :controller do
  end

  describe "via ajax" do
-    it "returns errors" do
+    it "returns error when email not found" do
      xhr :post, :create, spree_user: {}, use_route: :spree
-      json = JSON.parse(response.body)
-      response.status.should == 401
-      json.should == {"email"=>["can't be blank"]}
+      expect(response.status).to eq 404
+      expect(json_response).to eq 'error' => I18n.t('email_not_found')
+    end
+
+    it "returns error when user is unconfirmed" do
+      xhr :post, :create, spree_user: {email: unconfirmed_user.email}, use_route: :spree
+      expect(response.status).to eq 401
+      expect(json_response).to eq 'error' => I18n.t('email_unconfirmed')
    end
  end
 end