Commit 2287ee28008c80ce506efa865d196156d222b4c2
1 parent
7fe25f4d
Exists in
theme-brasil-digital-from-staging
and in
8 other branches
Do not return private token when user is inactive
Showing
2 changed files
with
11 additions
and
1 deletions
Show diff stats
lib/noosfero/api/entities.rb
| ... | ... | @@ -156,7 +156,7 @@ module Noosfero |
| 156 | 156 | end |
| 157 | 157 | |
| 158 | 158 | class UserLogin < User |
| 159 | - expose :private_token, documentation: {type: 'String', desc: 'A valid authentication code for post/delete api actions'} | |
| 159 | + expose :private_token, documentation: {type: 'String', desc: 'A valid authentication code for post/delete api actions'}, if: lambda {|object, options| object.activated? } | |
| 160 | 160 | end |
| 161 | 161 | |
| 162 | 162 | class Task < Entity | ... | ... |
test/unit/api/session_test.rb
| ... | ... | @@ -200,4 +200,14 @@ class SessionTest < ActiveSupport::TestCase |
| 200 | 200 | assert_equal 404, last_response.status |
| 201 | 201 | end |
| 202 | 202 | |
| 203 | + should 'not return private token when the registered user is inactive' do | |
| 204 | + params = {:login => "newuserapi", :password => "newuserapi", :password_confirmation => "newuserapi", :email => "newuserapi@email.com" } | |
| 205 | + post "/api/v1/register?#{params.to_query}" | |
| 206 | + assert_equal 201, last_response.status | |
| 207 | + json = JSON.parse(last_response.body) | |
| 208 | + assert !User['newuserapi'].activated? | |
| 209 | + assert !json['user']['activated'] | |
| 210 | + assert !json['user']['private_token'].present? | |
| 211 | + end | |
| 212 | + | |
| 203 | 213 | end | ... | ... |