Commit 85741fbb6ab829672d8f4f73edaa707637a1d693
1 parent
7c98d685
Exists in
staging
and in
7 other branches
oauth_client: fix session verification
Showing
5 changed files
with
33 additions
and
13 deletions
Show diff stats
app/views/account/_signup_form.html.erb
| @@ -16,7 +16,7 @@ | @@ -16,7 +16,7 @@ | ||
| 16 | <input type="hidden" id="signup_time_key" name="signup_time_key" /> | 16 | <input type="hidden" id="signup_time_key" name="signup_time_key" /> |
| 17 | <script type="text/javascript"> | 17 | <script type="text/javascript"> |
| 18 | jQuery.ajax({ | 18 | jQuery.ajax({ |
| 19 | - type: "POST", | 19 | + type: "GET", |
| 20 | url: "<%= url_for :controller=>'account', :action=>'signup_time' %>", | 20 | url: "<%= url_for :controller=>'account', :action=>'signup_time' %>", |
| 21 | dataType: 'json', | 21 | dataType: 'json', |
| 22 | success: function(data) { | 22 | success: function(data) { |
plugins/oauth_client/controllers/public/oauth_client_plugin_public_controller.rb
| @@ -9,10 +9,10 @@ class OauthClientPluginPublicController < PublicController | @@ -9,10 +9,10 @@ class OauthClientPluginPublicController < PublicController | ||
| 9 | session[:user] = user | 9 | session[:user] = user |
| 10 | redirect_to :controller => :account, :action => :login | 10 | redirect_to :controller => :account, :action => :login |
| 11 | else | 11 | else |
| 12 | - session[:oauth_email] = auth.info.email | 12 | + session[:oauth_data] = auth |
| 13 | name = auth.info.name | 13 | name = auth.info.name |
| 14 | name ||= auth.extra && auth.extra.raw_info ? auth.extra.raw_info.name : '' | 14 | name ||= auth.extra && auth.extra.raw_info ? auth.extra.raw_info.name : '' |
| 15 | - redirect_to :controller => :account, :action => :signup, :user => {:login => login, :email => auth.info.email, :oauth_providers => [{:provider => auth.provider, :uid => auth.uid}]}, :profile_data => {:name => name} | 15 | + redirect_to :controller => :account, :action => :signup, :user => {:login => login, :email => auth.info.email}, :profile_data => {:name => name} |
| 16 | end | 16 | end |
| 17 | end | 17 | end |
| 18 | 18 |
plugins/oauth_client/lib/oauth_client_plugin.rb
| @@ -19,7 +19,7 @@ class OauthClientPlugin < Noosfero::Plugin | @@ -19,7 +19,7 @@ class OauthClientPlugin < Noosfero::Plugin | ||
| 19 | plugin = self | 19 | plugin = self |
| 20 | 20 | ||
| 21 | proc do | 21 | proc do |
| 22 | - unless (plugin.context.params[:user]||{})[:oauth_providers].blank? | 22 | + if plugin.context.session[:oauth_data].present? |
| 23 | render :partial => 'account/oauth_signup' | 23 | render :partial => 'account/oauth_signup' |
| 24 | else | 24 | else |
| 25 | '' | 25 | '' |
| @@ -70,7 +70,19 @@ class OauthClientPlugin < Noosfero::Plugin | @@ -70,7 +70,19 @@ class OauthClientPlugin < Noosfero::Plugin | ||
| 70 | end | 70 | end |
| 71 | 71 | ||
| 72 | def account_controller_filters | 72 | def account_controller_filters |
| 73 | - {:type => 'before_filter', :method_name => 'signup', :block => proc { raise "Wrong email for oauth signup" if request.post? && session[:oauth_email].present? && session[:oauth_email] != params[:user][:email] } } | 73 | + { |
| 74 | + :type => 'before_filter', :method_name => 'signup', | ||
| 75 | + :block => proc { | ||
| 76 | + auth = session[:oauth_data] | ||
| 77 | + | ||
| 78 | + if auth.present? && params[:user].present? | ||
| 79 | + params[:user][:oauth_providers] = [{:provider => auth.provider, :uid => auth.uid}] | ||
| 80 | + if request.post? && auth.info.email != params[:user][:email] | ||
| 81 | + raise "Wrong email for oauth signup" | ||
| 82 | + end | ||
| 83 | + end | ||
| 84 | + } | ||
| 85 | + } | ||
| 74 | end | 86 | end |
| 75 | 87 | ||
| 76 | end | 88 | end |
plugins/oauth_client/test/unit/oauth_client_plugin_test.rb
| @@ -40,7 +40,13 @@ class OauthClientPluginTest < ActiveSupport::TestCase | @@ -40,7 +40,13 @@ class OauthClientPluginTest < ActiveSupport::TestCase | ||
| 40 | request = mock | 40 | request = mock |
| 41 | stubs(:request).returns(request) | 41 | stubs(:request).returns(request) |
| 42 | request.expects(:post?).returns(true) | 42 | request.expects(:post?).returns(true) |
| 43 | - stubs(:session).returns({:oauth_email => 'test@example.com'}) | 43 | + |
| 44 | + oauth_data = mock | ||
| 45 | + info = mock | ||
| 46 | + oauth_data.stubs(:info).returns(info) | ||
| 47 | + info.stubs(:email).returns('test@example.com') | ||
| 48 | + stubs(:session).returns({:oauth_data => oauth_data}) | ||
| 49 | + | ||
| 44 | params[:user] = {:email => 'test2@example.com'} | 50 | params[:user] = {:email => 'test2@example.com'} |
| 45 | assert_raises RuntimeError do | 51 | assert_raises RuntimeError do |
| 46 | instance_eval(&plugin.account_controller_filters[:block]) | 52 | instance_eval(&plugin.account_controller_filters[:block]) |
| @@ -51,12 +57,18 @@ class OauthClientPluginTest < ActiveSupport::TestCase | @@ -51,12 +57,18 @@ class OauthClientPluginTest < ActiveSupport::TestCase | ||
| 51 | request = mock | 57 | request = mock |
| 52 | stubs(:request).returns(request) | 58 | stubs(:request).returns(request) |
| 53 | request.expects(:post?).returns(true) | 59 | request.expects(:post?).returns(true) |
| 54 | - stubs(:session).returns({:oauth_email => 'test@example.com'}) | 60 | + |
| 61 | + oauth_data = mock | ||
| 62 | + info = mock | ||
| 63 | + oauth_data.stubs(:info).returns(info) | ||
| 64 | + info.stubs(:email).returns('test@example.com') | ||
| 65 | + stubs(:session).returns({:oauth_data => oauth_data}) | ||
| 66 | + | ||
| 55 | params[:user] = {:email => 'test@example.com'} | 67 | params[:user] = {:email => 'test@example.com'} |
| 56 | instance_eval(&plugin.account_controller_filters[:block]) | 68 | instance_eval(&plugin.account_controller_filters[:block]) |
| 57 | end | 69 | end |
| 58 | 70 | ||
| 59 | - should 'do not raise error if oauth email is not set' do | 71 | + should 'do not raise error if oauth session is not set' do |
| 60 | request = mock | 72 | request = mock |
| 61 | stubs(:request).returns(request) | 73 | stubs(:request).returns(request) |
| 62 | request.expects(:post?).returns(true) | 74 | request.expects(:post?).returns(true) |
plugins/oauth_client/views/account/_oauth_signup.html.erb
| 1 | -<%= hidden_field_tag 'user[oauth_providers][][provider]', @user.oauth_providers.first[:provider] %> | ||
| 2 | -<%= hidden_field_tag 'user[oauth_providers][][uid]', @user.oauth_providers.first[:uid] %> | ||
| 3 | <%= hidden_field_tag 'return_to', '/' %> | 1 | <%= hidden_field_tag 'return_to', '/' %> |
| 4 | 2 | ||
| 5 | <style> | 3 | <style> |
| 6 | - #signup-password, | ||
| 7 | - #signup-password-confirmation, | ||
| 8 | - #signup-email { | 4 | + #signup-password, #signup-password-confirmation, #signup-email { |
| 9 | display: none; | 5 | display: none; |
| 10 | } | 6 | } |
| 11 | </style> | 7 | </style> |