Commit 85741fbb6ab829672d8f4f73edaa707637a1d693
1 parent
7c98d685
Exists in
theme-brasil-digital-from-staging
and in
9 other branches
oauth_client: fix session verification
Showing
5 changed files
with
33 additions
and
13 deletions
Show diff stats
app/views/account/_signup_form.html.erb
| ... | ... | @@ -16,7 +16,7 @@ |
| 16 | 16 | <input type="hidden" id="signup_time_key" name="signup_time_key" /> |
| 17 | 17 | <script type="text/javascript"> |
| 18 | 18 | jQuery.ajax({ |
| 19 | - type: "POST", | |
| 19 | + type: "GET", | |
| 20 | 20 | url: "<%= url_for :controller=>'account', :action=>'signup_time' %>", |
| 21 | 21 | dataType: 'json', |
| 22 | 22 | success: function(data) { | ... | ... |
plugins/oauth_client/controllers/public/oauth_client_plugin_public_controller.rb
| ... | ... | @@ -9,10 +9,10 @@ class OauthClientPluginPublicController < PublicController |
| 9 | 9 | session[:user] = user |
| 10 | 10 | redirect_to :controller => :account, :action => :login |
| 11 | 11 | else |
| 12 | - session[:oauth_email] = auth.info.email | |
| 12 | + session[:oauth_data] = auth | |
| 13 | 13 | name = auth.info.name |
| 14 | 14 | name ||= auth.extra && auth.extra.raw_info ? auth.extra.raw_info.name : '' |
| 15 | - redirect_to :controller => :account, :action => :signup, :user => {:login => login, :email => auth.info.email, :oauth_providers => [{:provider => auth.provider, :uid => auth.uid}]}, :profile_data => {:name => name} | |
| 15 | + redirect_to :controller => :account, :action => :signup, :user => {:login => login, :email => auth.info.email}, :profile_data => {:name => name} | |
| 16 | 16 | end |
| 17 | 17 | end |
| 18 | 18 | ... | ... |
plugins/oauth_client/lib/oauth_client_plugin.rb
| ... | ... | @@ -19,7 +19,7 @@ class OauthClientPlugin < Noosfero::Plugin |
| 19 | 19 | plugin = self |
| 20 | 20 | |
| 21 | 21 | proc do |
| 22 | - unless (plugin.context.params[:user]||{})[:oauth_providers].blank? | |
| 22 | + if plugin.context.session[:oauth_data].present? | |
| 23 | 23 | render :partial => 'account/oauth_signup' |
| 24 | 24 | else |
| 25 | 25 | '' |
| ... | ... | @@ -70,7 +70,19 @@ class OauthClientPlugin < Noosfero::Plugin |
| 70 | 70 | end |
| 71 | 71 | |
| 72 | 72 | def account_controller_filters |
| 73 | - {:type => 'before_filter', :method_name => 'signup', :block => proc { raise "Wrong email for oauth signup" if request.post? && session[:oauth_email].present? && session[:oauth_email] != params[:user][:email] } } | |
| 73 | + { | |
| 74 | + :type => 'before_filter', :method_name => 'signup', | |
| 75 | + :block => proc { | |
| 76 | + auth = session[:oauth_data] | |
| 77 | + | |
| 78 | + if auth.present? && params[:user].present? | |
| 79 | + params[:user][:oauth_providers] = [{:provider => auth.provider, :uid => auth.uid}] | |
| 80 | + if request.post? && auth.info.email != params[:user][:email] | |
| 81 | + raise "Wrong email for oauth signup" | |
| 82 | + end | |
| 83 | + end | |
| 84 | + } | |
| 85 | + } | |
| 74 | 86 | end |
| 75 | 87 | |
| 76 | 88 | end | ... | ... |
plugins/oauth_client/test/unit/oauth_client_plugin_test.rb
| ... | ... | @@ -40,7 +40,13 @@ class OauthClientPluginTest < ActiveSupport::TestCase |
| 40 | 40 | request = mock |
| 41 | 41 | stubs(:request).returns(request) |
| 42 | 42 | request.expects(:post?).returns(true) |
| 43 | - stubs(:session).returns({:oauth_email => 'test@example.com'}) | |
| 43 | + | |
| 44 | + oauth_data = mock | |
| 45 | + info = mock | |
| 46 | + oauth_data.stubs(:info).returns(info) | |
| 47 | + info.stubs(:email).returns('test@example.com') | |
| 48 | + stubs(:session).returns({:oauth_data => oauth_data}) | |
| 49 | + | |
| 44 | 50 | params[:user] = {:email => 'test2@example.com'} |
| 45 | 51 | assert_raises RuntimeError do |
| 46 | 52 | instance_eval(&plugin.account_controller_filters[:block]) |
| ... | ... | @@ -51,12 +57,18 @@ class OauthClientPluginTest < ActiveSupport::TestCase |
| 51 | 57 | request = mock |
| 52 | 58 | stubs(:request).returns(request) |
| 53 | 59 | request.expects(:post?).returns(true) |
| 54 | - stubs(:session).returns({:oauth_email => 'test@example.com'}) | |
| 60 | + | |
| 61 | + oauth_data = mock | |
| 62 | + info = mock | |
| 63 | + oauth_data.stubs(:info).returns(info) | |
| 64 | + info.stubs(:email).returns('test@example.com') | |
| 65 | + stubs(:session).returns({:oauth_data => oauth_data}) | |
| 66 | + | |
| 55 | 67 | params[:user] = {:email => 'test@example.com'} |
| 56 | 68 | instance_eval(&plugin.account_controller_filters[:block]) |
| 57 | 69 | end |
| 58 | 70 | |
| 59 | - should 'do not raise error if oauth email is not set' do | |
| 71 | + should 'do not raise error if oauth session is not set' do | |
| 60 | 72 | request = mock |
| 61 | 73 | stubs(:request).returns(request) |
| 62 | 74 | request.expects(:post?).returns(true) | ... | ... |
plugins/oauth_client/views/account/_oauth_signup.html.erb
| 1 | -<%= hidden_field_tag 'user[oauth_providers][][provider]', @user.oauth_providers.first[:provider] %> | |
| 2 | -<%= hidden_field_tag 'user[oauth_providers][][uid]', @user.oauth_providers.first[:uid] %> | |
| 3 | 1 | <%= hidden_field_tag 'return_to', '/' %> |
| 4 | 2 | |
| 5 | 3 | <style> |
| 6 | - #signup-password, | |
| 7 | - #signup-password-confirmation, | |
| 8 | - #signup-email { | |
| 4 | + #signup-password, #signup-password-confirmation, #signup-email { | |
| 9 | 5 | display: none; |
| 10 | 6 | } |
| 11 | 7 | </style> | ... | ... |