Don't allow signups without a password

trindade · Feb 12, 2013 · 824b093 · 824b093
1 parent d7f3241
commit 824b093
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 2 deletions.
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
@@ -141,6 +141,8 @@ def create
     auth = session[:authentication]
     if auth && auth[:email] == params[:email] && auth[:email_valid]
       user.active = true
+    else
+      user.password_required
     end
 
     Mothership.register_nickname( user.username, user.email ) if user.valid? and SiteSetting.call_mothership?

diff --git a/app/models/user.rb b/app/models/user.rb
@@ -241,6 +241,11 @@ def password=(password)
     end
   end
 
+  # Indicate that this is NOT a passwordless account for the purposes of validation
+  def password_required
+    @password_required = true
+  end
+
   def confirm_password?(password)
     return false unless self.password_hash && self.salt
     self.password_hash == hash_password(password,self.salt)
@@ -455,8 +460,8 @@ def username_validator
     end
 
     def password_validator
-      if @raw_password
-        return errors.add(:password, "must be 6 letters or longer") if @raw_password.length < 6
+      if (@raw_password and @raw_password.length < 6) or (@password_required and !@raw_password)
+        return errors.add(:password, "must be 6 letters or longer")
       end
     end
 

diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb
@@ -379,6 +379,28 @@
       let(:create_params) { {:name => @user.name, :username => @user.username, :password => "strongpassword", :email => @user.email, :challenge => 'abc'} }
       it_should_behave_like 'honeypot fails'
     end
+
+    shared_examples_for 'failed signup due to password problem' do
+      it 'should not create a new User' do
+        expect { xhr :post, :create, create_params }.to_not change { User.count }
+      end
+
+      it 'should report failed' do
+        xhr :post, :create, create_params
+        json = JSON::parse(response.body)
+        json["success"].should_not be_true
+      end
+    end
+
+    context 'when password is blank' do
+      let(:create_params) { {:name => @user.name, :username => @user.username, :password => "", :email => @user.email} }
+      it_should_behave_like 'failed signup due to password problem'
+    end
+
+    context 'when password param is missing' do
+      let(:create_params) { {:name => @user.name, :username => @user.username, :email => @user.email} }
+      it_should_behave_like 'failed signup due to password problem'
+    end
   end
 
   context '.username' do