Commit 2287ee28008c80ce506efa865d196156d222b4c2
1 parent
7fe25f4d
Exists in
theme-brasil-digital-from-staging
and in
8 other branches
Do not return private token when user is inactive
Showing
2 changed files
with
11 additions
and
1 deletions
Show diff stats
lib/noosfero/api/entities.rb
| @@ -156,7 +156,7 @@ module Noosfero | @@ -156,7 +156,7 @@ module Noosfero | ||
| 156 | end | 156 | end |
| 157 | 157 | ||
| 158 | class UserLogin < User | 158 | class UserLogin < User |
| 159 | - expose :private_token, documentation: {type: 'String', desc: 'A valid authentication code for post/delete api actions'} | 159 | + expose :private_token, documentation: {type: 'String', desc: 'A valid authentication code for post/delete api actions'}, if: lambda {|object, options| object.activated? } |
| 160 | end | 160 | end |
| 161 | 161 | ||
| 162 | class Task < Entity | 162 | class Task < Entity |
test/unit/api/session_test.rb
| @@ -200,4 +200,14 @@ class SessionTest < ActiveSupport::TestCase | @@ -200,4 +200,14 @@ class SessionTest < ActiveSupport::TestCase | ||
| 200 | assert_equal 404, last_response.status | 200 | assert_equal 404, last_response.status |
| 201 | end | 201 | end |
| 202 | 202 | ||
| 203 | + should 'not return private token when the registered user is inactive' do | ||
| 204 | + params = {:login => "newuserapi", :password => "newuserapi", :password_confirmation => "newuserapi", :email => "newuserapi@email.com" } | ||
| 205 | + post "/api/v1/register?#{params.to_query}" | ||
| 206 | + assert_equal 201, last_response.status | ||
| 207 | + json = JSON.parse(last_response.body) | ||
| 208 | + assert !User['newuserapi'].activated? | ||
| 209 | + assert !json['user']['activated'] | ||
| 210 | + assert !json['user']['private_token'].present? | ||
| 211 | + end | ||
| 212 | + | ||
| 203 | end | 213 | end |