From 2287ee28008c80ce506efa865d196156d222b4c2 Mon Sep 17 00:00:00 2001
From: Victor Costa <vfcosta@gmail.com>
Date: Tue, 17 Nov 2015 10:07:33 -0300
Subject: [PATCH] Do not return private token when user is inactive

---
 lib/noosfero/api/entities.rb  |  2 +-
 test/unit/api/session_test.rb | 10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/lib/noosfero/api/entities.rb b/lib/noosfero/api/entities.rb
index 8acb406..d825e66 100644
--- a/lib/noosfero/api/entities.rb
+++ b/lib/noosfero/api/entities.rb
@@ -156,7 +156,7 @@ module Noosfero
       end
 
       class UserLogin < User
-        expose :private_token, documentation: {type: 'String', desc: 'A valid authentication code for post/delete api actions'}
+        expose :private_token, documentation: {type: 'String', desc: 'A valid authentication code for post/delete api actions'}, if: lambda {|object, options| object.activated? }
       end
 
       class Task < Entity
diff --git a/test/unit/api/session_test.rb b/test/unit/api/session_test.rb
index 21cc2d5..ba6d88f 100644
--- a/test/unit/api/session_test.rb
+++ b/test/unit/api/session_test.rb
@@ -200,4 +200,14 @@ class SessionTest < ActiveSupport::TestCase
     assert_equal 404, last_response.status
   end
 
+  should 'not return private token when the registered user is inactive' do
+    params = {:login => "newuserapi", :password => "newuserapi", :password_confirmation => "newuserapi", :email => "newuserapi@email.com" }
+    post "/api/v1/register?#{params.to_query}"
+    assert_equal 201, last_response.status
+    json = JSON.parse(last_response.body)
+    assert !User['newuserapi'].activated?
+    assert !json['user']['activated']
+    assert !json['user']['private_token'].present?
+  end
+
 end
--
libgit2 0.21.2