2019-07-31 22:56:46 +05:30
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2016-06-02 11:05:42 +05:30
|
|
|
require 'spec_helper'
|
|
|
|
|
2020-06-23 00:09:42 +05:30
|
|
|
RSpec.describe RegistrationsController do
|
2018-11-08 19:23:39 +05:30
|
|
|
include TermsHelper
|
2023-01-13 00:05:48 +05:30
|
|
|
include FullNameHelper
|
2018-11-08 19:23:39 +05:30
|
|
|
|
2019-10-12 21:52:04 +05:30
|
|
|
before do
|
2021-01-29 00:20:46 +05:30
|
|
|
stub_application_setting(require_admin_approval_after_user_signup: false)
|
2022-10-11 01:57:18 +05:30
|
|
|
stub_feature_flags(arkose_labs_signup_challenge: false)
|
2019-10-12 21:52:04 +05:30
|
|
|
end
|
|
|
|
|
2019-12-26 22:10:19 +05:30
|
|
|
describe '#new' do
|
|
|
|
subject { get :new }
|
|
|
|
|
2021-01-29 00:20:46 +05:30
|
|
|
it 'renders new template and sets the resource variable' do
|
|
|
|
expect(subject).to render_template(:new)
|
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
|
|
|
expect(assigns(:resource)).to be_a(User)
|
2019-12-26 22:10:19 +05:30
|
|
|
end
|
2023-01-13 00:05:48 +05:30
|
|
|
|
|
|
|
it_behaves_like "switches to user preferred language", 'Sign up'
|
2021-01-03 14:25:43 +05:30
|
|
|
end
|
2020-10-24 23:57:45 +05:30
|
|
|
|
2021-01-03 14:25:43 +05:30
|
|
|
describe '#create' do
|
2022-03-02 08:16:31 +05:30
|
|
|
before do
|
|
|
|
allow(::Gitlab::ApplicationRateLimiter).to receive(:throttled?).and_return(false)
|
|
|
|
end
|
|
|
|
|
2021-06-08 01:23:25 +05:30
|
|
|
let_it_be(:base_user_params) do
|
2022-08-27 11:52:29 +05:30
|
|
|
{ first_name: 'first', last_name: 'last', username: 'new_username', email: 'new@user.com', password: User.random_password }
|
2021-06-08 01:23:25 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
let_it_be(:user_params) { { user: base_user_params } }
|
2021-01-03 14:25:43 +05:30
|
|
|
|
2021-06-08 01:23:25 +05:30
|
|
|
let(:session_params) { {} }
|
|
|
|
|
2023-03-04 22:38:38 +05:30
|
|
|
subject(:post_create) { post(:create, params: user_params, session: session_params) }
|
2020-10-24 23:57:45 +05:30
|
|
|
|
2021-01-03 14:25:43 +05:30
|
|
|
context '`blocked_pending_approval` state' do
|
2021-01-29 00:20:46 +05:30
|
|
|
context 'when the `require_admin_approval_after_user_signup` setting is turned on' do
|
2020-10-24 23:57:45 +05:30
|
|
|
before do
|
2021-01-29 00:20:46 +05:30
|
|
|
stub_application_setting(require_admin_approval_after_user_signup: true)
|
2020-10-24 23:57:45 +05:30
|
|
|
end
|
|
|
|
|
2021-01-29 00:20:46 +05:30
|
|
|
it 'signs up the user in `blocked_pending_approval` state' do
|
|
|
|
subject
|
|
|
|
created_user = User.find_by(email: 'new@user.com')
|
2020-10-24 23:57:45 +05:30
|
|
|
|
2021-01-29 00:20:46 +05:30
|
|
|
expect(created_user).to be_present
|
|
|
|
expect(created_user.blocked_pending_approval?).to eq(true)
|
|
|
|
end
|
2021-01-03 14:25:43 +05:30
|
|
|
|
2021-01-29 00:20:46 +05:30
|
|
|
it 'does not log in the user after sign up' do
|
|
|
|
subject
|
2021-01-03 14:25:43 +05:30
|
|
|
|
2021-01-29 00:20:46 +05:30
|
|
|
expect(controller.current_user).to be_nil
|
|
|
|
end
|
2021-01-03 14:25:43 +05:30
|
|
|
|
2021-01-29 00:20:46 +05:30
|
|
|
it 'shows flash message after signing up' do
|
|
|
|
subject
|
2021-01-03 14:25:43 +05:30
|
|
|
|
2021-01-29 00:20:46 +05:30
|
|
|
expect(response).to redirect_to(new_user_session_path(anchor: 'login-pane'))
|
|
|
|
expect(flash[:notice])
|
|
|
|
.to eq('You have signed up successfully. However, we could not sign you in because your account is awaiting approval from your GitLab administrator.')
|
|
|
|
end
|
2021-01-03 14:25:43 +05:30
|
|
|
|
2021-01-29 00:20:46 +05:30
|
|
|
it 'emails the access request to approvers' do
|
|
|
|
expect_next_instance_of(NotificationService) do |notification|
|
|
|
|
allow(notification).to receive(:new_instance_access_request).with(User.find_by(email: 'new@user.com'))
|
2021-01-03 14:25:43 +05:30
|
|
|
end
|
|
|
|
|
2021-01-29 00:20:46 +05:30
|
|
|
subject
|
2021-01-03 14:25:43 +05:30
|
|
|
end
|
|
|
|
|
2021-01-29 00:20:46 +05:30
|
|
|
context 'email confirmation' do
|
2023-03-04 22:38:38 +05:30
|
|
|
context 'when `email_confirmation_setting` is set to `hard`' do
|
2021-01-29 00:20:46 +05:30
|
|
|
before do
|
2023-03-04 22:38:38 +05:30
|
|
|
stub_application_setting_enum('email_confirmation_setting', 'hard')
|
2021-01-29 00:20:46 +05:30
|
|
|
end
|
2021-01-03 14:25:43 +05:30
|
|
|
|
2021-01-29 00:20:46 +05:30
|
|
|
it 'does not send a confirmation email' do
|
|
|
|
expect { subject }
|
|
|
|
.not_to have_enqueued_mail(DeviseMailer, :confirmation_instructions)
|
|
|
|
end
|
2021-01-03 14:25:43 +05:30
|
|
|
end
|
2021-01-29 00:20:46 +05:30
|
|
|
end
|
2021-03-11 19:13:27 +05:30
|
|
|
|
|
|
|
context 'audit events' do
|
|
|
|
context 'when not licensed' do
|
|
|
|
before do
|
|
|
|
stub_licensed_features(admin_audit_log: false)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'does not log any audit event' do
|
|
|
|
expect { subject }.not_to change(AuditEvent, :count)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2021-01-29 00:20:46 +05:30
|
|
|
end
|
2021-01-03 14:25:43 +05:30
|
|
|
|
2021-01-29 00:20:46 +05:30
|
|
|
context 'when the `require_admin_approval_after_user_signup` setting is turned off' do
|
|
|
|
it 'signs up the user in `active` state' do
|
|
|
|
subject
|
|
|
|
created_user = User.find_by(email: 'new@user.com')
|
2021-01-03 14:25:43 +05:30
|
|
|
|
2021-01-29 00:20:46 +05:30
|
|
|
expect(created_user).to be_present
|
|
|
|
expect(created_user.active?).to eq(true)
|
|
|
|
end
|
2021-01-03 14:25:43 +05:30
|
|
|
|
2021-01-29 00:20:46 +05:30
|
|
|
it 'does not show any flash message after signing up' do
|
|
|
|
subject
|
2021-01-03 14:25:43 +05:30
|
|
|
|
2021-01-29 00:20:46 +05:30
|
|
|
expect(flash[:notice]).to be_nil
|
2020-10-24 23:57:45 +05:30
|
|
|
end
|
|
|
|
|
2021-01-29 00:20:46 +05:30
|
|
|
it 'does not email the approvers' do
|
|
|
|
expect(NotificationService).not_to receive(:new)
|
2020-10-24 23:57:45 +05:30
|
|
|
|
2021-01-29 00:20:46 +05:30
|
|
|
subject
|
|
|
|
end
|
2020-10-24 23:57:45 +05:30
|
|
|
|
2021-01-29 00:20:46 +05:30
|
|
|
context 'email confirmation' do
|
2023-03-04 22:38:38 +05:30
|
|
|
context 'when `email_confirmation_setting` is set to `hard`' do
|
2021-01-29 00:20:46 +05:30
|
|
|
before do
|
2023-03-04 22:38:38 +05:30
|
|
|
stub_application_setting_enum('email_confirmation_setting', 'hard')
|
2022-10-11 01:57:18 +05:30
|
|
|
stub_feature_flags(identity_verification: false)
|
2021-01-29 00:20:46 +05:30
|
|
|
end
|
2021-01-03 14:25:43 +05:30
|
|
|
|
2021-01-29 00:20:46 +05:30
|
|
|
it 'sends a confirmation email' do
|
|
|
|
expect { subject }
|
|
|
|
.to have_enqueued_mail(DeviseMailer, :confirmation_instructions)
|
|
|
|
end
|
2021-01-03 14:25:43 +05:30
|
|
|
end
|
2020-10-24 23:57:45 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2017-08-17 22:00:37 +05:30
|
|
|
|
2023-03-17 16:20:25 +05:30
|
|
|
context 'private profile' do
|
|
|
|
context 'when the `user_defaults_to_private_profile` setting is turned on' do
|
|
|
|
before do
|
|
|
|
stub_application_setting(user_defaults_to_private_profile: true)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'creates new user with profile set to private' do
|
|
|
|
subject
|
|
|
|
user = User.find_by(email: base_user_params[:email], private_profile: true)
|
|
|
|
|
|
|
|
expect(user).to be_present
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2017-08-17 22:00:37 +05:30
|
|
|
context 'email confirmation' do
|
2022-10-11 01:57:18 +05:30
|
|
|
before do
|
|
|
|
stub_feature_flags(identity_verification: false)
|
|
|
|
end
|
|
|
|
|
2023-03-04 22:38:38 +05:30
|
|
|
context 'when `email_confirmation_setting` is set to `off`' do
|
2017-08-17 22:00:37 +05:30
|
|
|
it 'signs the user in' do
|
2023-03-04 22:38:38 +05:30
|
|
|
stub_application_setting_enum('email_confirmation_setting', 'off')
|
2017-08-17 22:00:37 +05:30
|
|
|
|
2021-01-03 14:25:43 +05:30
|
|
|
expect { subject }.not_to have_enqueued_mail(DeviseMailer, :confirmation_instructions)
|
|
|
|
expect(controller.current_user).not_to be_nil
|
2017-08-17 22:00:37 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2023-03-04 22:38:38 +05:30
|
|
|
context 'when `email_confirmation_setting` is set to `hard`' do
|
2019-10-12 21:52:04 +05:30
|
|
|
before do
|
2023-03-04 22:38:38 +05:30
|
|
|
stub_application_setting_enum('email_confirmation_setting', 'hard')
|
2019-10-12 21:52:04 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
context 'when soft email confirmation is not enabled' do
|
|
|
|
before do
|
|
|
|
stub_feature_flags(soft_email_confirmation: false)
|
|
|
|
allow(User).to receive(:allow_unconfirmed_access_for).and_return 0
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'does not authenticate the user and sends a confirmation email' do
|
2021-01-03 14:25:43 +05:30
|
|
|
expect { subject }.to have_enqueued_mail(DeviseMailer, :confirmation_instructions)
|
|
|
|
expect(controller.current_user).to be_nil
|
2019-10-12 21:52:04 +05:30
|
|
|
end
|
2021-06-08 01:23:25 +05:30
|
|
|
|
2023-03-04 22:38:38 +05:30
|
|
|
it 'tracks an almost there redirect' do
|
|
|
|
post_create
|
|
|
|
|
|
|
|
expect_snowplow_event(
|
|
|
|
category: described_class.name,
|
|
|
|
action: 'render',
|
|
|
|
user: User.find_by(email: base_user_params[:email])
|
|
|
|
)
|
|
|
|
end
|
|
|
|
|
2021-06-08 01:23:25 +05:30
|
|
|
context 'when registration is triggered from an accepted invite' do
|
2021-10-27 15:23:28 +05:30
|
|
|
context 'when it is part from the initial invite email', :snowplow do
|
2021-06-08 01:23:25 +05:30
|
|
|
let_it_be(:member) { create(:project_member, :invited, invite_email: user_params.dig(:user, :email)) }
|
|
|
|
|
|
|
|
let(:originating_member_id) { member.id }
|
|
|
|
let(:session_params) do
|
|
|
|
{
|
|
|
|
invite_email: user_params.dig(:user, :email),
|
|
|
|
originating_member_id: originating_member_id
|
2022-01-26 12:08:38 +05:30
|
|
|
}
|
2021-06-08 01:23:25 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
context 'when member exists from the session key value' do
|
2021-10-27 15:23:28 +05:30
|
|
|
it 'tracks the invite acceptance' do
|
2021-06-08 01:23:25 +05:30
|
|
|
subject
|
2021-10-27 15:23:28 +05:30
|
|
|
|
|
|
|
expect_snowplow_event(
|
|
|
|
category: 'RegistrationsController',
|
|
|
|
action: 'accepted',
|
|
|
|
label: 'invite_email',
|
2022-08-13 15:12:31 +05:30
|
|
|
property: member.id.to_s,
|
|
|
|
user: member.reload.user
|
2021-10-27 15:23:28 +05:30
|
|
|
)
|
2021-06-08 01:23:25 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when member does not exist from the session key value' do
|
|
|
|
let(:originating_member_id) { -1 }
|
|
|
|
|
2021-10-27 15:23:28 +05:30
|
|
|
it 'does not track invite acceptance' do
|
2021-06-08 01:23:25 +05:30
|
|
|
subject
|
2021-10-27 15:23:28 +05:30
|
|
|
|
|
|
|
expect_no_snowplow_event(
|
|
|
|
category: 'RegistrationsController',
|
|
|
|
action: 'accepted',
|
|
|
|
label: 'invite_email'
|
|
|
|
)
|
|
|
|
end
|
|
|
|
end
|
2021-06-08 01:23:25 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
context 'when invite email matches email used on registration' do
|
|
|
|
let(:session_params) { { invite_email: user_params.dig(:user, :email) } }
|
|
|
|
|
|
|
|
it 'signs the user in without sending a confirmation email', :aggregate_failures do
|
|
|
|
expect { subject }.not_to have_enqueued_mail(DeviseMailer, :confirmation_instructions)
|
|
|
|
expect(controller.current_user).to be_confirmed
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when invite email does not match the email used on registration' do
|
|
|
|
let(:session_params) { { invite_email: 'bogus@email.com' } }
|
|
|
|
|
|
|
|
it 'does not authenticate the user and sends a confirmation email', :aggregate_failures do
|
|
|
|
expect { subject }.to have_enqueued_mail(DeviseMailer, :confirmation_instructions)
|
|
|
|
expect(controller.current_user).to be_nil
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2019-10-12 21:52:04 +05:30
|
|
|
end
|
|
|
|
|
2021-11-11 11:23:49 +05:30
|
|
|
context 'when the registration fails' do
|
|
|
|
let_it_be(:member) { create(:project_member, :invited) }
|
|
|
|
let_it_be(:missing_user_params) do
|
2022-08-27 11:52:29 +05:30
|
|
|
{ username: '', email: member.invite_email, password: User.random_password }
|
2021-11-11 11:23:49 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
let_it_be(:user_params) { { user: missing_user_params } }
|
|
|
|
|
|
|
|
let(:session_params) { { invite_email: member.invite_email } }
|
|
|
|
|
|
|
|
subject { post(:create, params: user_params, session: session_params) }
|
|
|
|
|
|
|
|
it 'does not delete the invitation or register the new user' do
|
|
|
|
subject
|
|
|
|
|
|
|
|
expect(member.invite_token).not_to be_nil
|
|
|
|
expect(controller.current_user).to be_nil
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2019-10-12 21:52:04 +05:30
|
|
|
context 'when soft email confirmation is enabled' do
|
|
|
|
before do
|
|
|
|
stub_feature_flags(soft_email_confirmation: true)
|
|
|
|
allow(User).to receive(:allow_unconfirmed_access_for).and_return 2.days
|
|
|
|
end
|
2017-08-17 22:00:37 +05:30
|
|
|
|
2019-10-12 21:52:04 +05:30
|
|
|
it 'authenticates the user and sends a confirmation email' do
|
2021-01-03 14:25:43 +05:30
|
|
|
expect { subject }.to have_enqueued_mail(DeviseMailer, :confirmation_instructions)
|
|
|
|
expect(controller.current_user).to be_present
|
2020-11-24 15:15:51 +05:30
|
|
|
expect(response).to redirect_to(users_sign_up_welcome_path)
|
2019-10-12 21:52:04 +05:30
|
|
|
end
|
2021-06-08 01:23:25 +05:30
|
|
|
|
2023-03-04 22:38:38 +05:30
|
|
|
it 'does not track an almost there redirect' do
|
|
|
|
post_create
|
|
|
|
|
|
|
|
expect_no_snowplow_event(
|
|
|
|
category: described_class.name,
|
|
|
|
action: 'render',
|
|
|
|
user: User.find_by(email: base_user_params[:email])
|
|
|
|
)
|
|
|
|
end
|
|
|
|
|
2021-06-08 01:23:25 +05:30
|
|
|
context 'when invite email matches email used on registration' do
|
|
|
|
let(:session_params) { { invite_email: user_params.dig(:user, :email) } }
|
|
|
|
|
|
|
|
it 'signs the user in without sending a confirmation email', :aggregate_failures do
|
|
|
|
expect { subject }.not_to have_enqueued_mail(DeviseMailer, :confirmation_instructions)
|
|
|
|
expect(controller.current_user).to be_confirmed
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when invite email does not match the email used on registration' do
|
|
|
|
let(:session_params) { { invite_email: 'bogus@email.com' } }
|
|
|
|
|
|
|
|
it 'authenticates the user and sends a confirmation email without confirming', :aggregate_failures do
|
|
|
|
expect { subject }.to have_enqueued_mail(DeviseMailer, :confirmation_instructions)
|
|
|
|
expect(controller.current_user).not_to be_confirmed
|
|
|
|
end
|
|
|
|
end
|
2017-08-17 22:00:37 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when signup_enabled? is false' do
|
|
|
|
it 'redirects to sign_in' do
|
2019-07-07 11:18:12 +05:30
|
|
|
stub_application_setting(signup_enabled: false)
|
2016-06-02 11:05:42 +05:30
|
|
|
|
2021-01-03 14:25:43 +05:30
|
|
|
expect { subject }.not_to change(User, :count)
|
2017-08-17 22:00:37 +05:30
|
|
|
expect(response).to redirect_to(new_user_session_path)
|
|
|
|
end
|
2016-06-02 11:05:42 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2017-08-17 22:00:37 +05:30
|
|
|
context 'when reCAPTCHA is enabled' do
|
|
|
|
before do
|
|
|
|
stub_application_setting(recaptcha_enabled: true)
|
|
|
|
end
|
|
|
|
|
2019-12-04 20:38:33 +05:30
|
|
|
after do
|
|
|
|
# Avoid test ordering issue and ensure `verify_recaptcha` returns true
|
|
|
|
unless Recaptcha.configuration.skip_verify_env.include?('test')
|
|
|
|
Recaptcha.configuration.skip_verify_env << 'test'
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2022-07-23 23:45:48 +05:30
|
|
|
context 'when the reCAPTCHA is not solved' do
|
|
|
|
before do
|
|
|
|
allow_any_instance_of(described_class).to receive(:verify_recaptcha).and_return(false)
|
|
|
|
end
|
2017-08-17 22:00:37 +05:30
|
|
|
|
2022-07-23 23:45:48 +05:30
|
|
|
it 'displays an error' do
|
|
|
|
subject
|
|
|
|
|
|
|
|
expect(response).to render_template(:new)
|
|
|
|
expect(flash[:alert]).to eq(_('There was an error with the reCAPTCHA. Please solve the reCAPTCHA again.'))
|
|
|
|
end
|
2017-08-17 22:00:37 +05:30
|
|
|
|
2022-07-23 23:45:48 +05:30
|
|
|
it 'sets gon variables' do
|
|
|
|
Gon.clear
|
|
|
|
|
|
|
|
subject
|
|
|
|
|
|
|
|
expect(response).to render_template(:new)
|
|
|
|
expect(Gon.all_variables).not_to be_empty
|
|
|
|
end
|
2017-08-17 22:00:37 +05:30
|
|
|
end
|
|
|
|
|
2020-11-24 15:15:51 +05:30
|
|
|
it 'redirects to the welcome page when the reCAPTCHA is solved' do
|
2021-01-03 14:25:43 +05:30
|
|
|
subject
|
2017-08-17 22:00:37 +05:30
|
|
|
|
2020-11-24 15:15:51 +05:30
|
|
|
expect(response).to redirect_to(users_sign_up_welcome_path)
|
2016-06-02 11:05:42 +05:30
|
|
|
end
|
|
|
|
end
|
2018-11-08 19:23:39 +05:30
|
|
|
|
2019-10-12 21:52:04 +05:30
|
|
|
context 'when invisible captcha is enabled' do
|
|
|
|
before do
|
2021-03-08 18:12:59 +05:30
|
|
|
stub_application_setting(invisible_captcha_enabled: true)
|
2019-10-12 21:52:04 +05:30
|
|
|
InvisibleCaptcha.timestamp_threshold = treshold
|
|
|
|
end
|
|
|
|
|
|
|
|
let(:treshold) { 4 }
|
|
|
|
let(:session_params) { { invisible_captcha_timestamp: form_rendered_time.iso8601 } }
|
|
|
|
let(:form_rendered_time) { Time.current }
|
|
|
|
let(:submit_time) { form_rendered_time + treshold }
|
|
|
|
let(:auth_log_attributes) do
|
|
|
|
{
|
|
|
|
message: auth_log_message,
|
|
|
|
env: :invisible_captcha_signup_bot_detected,
|
2019-12-04 20:38:33 +05:30
|
|
|
remote_ip: '0.0.0.0',
|
2019-10-12 21:52:04 +05:30
|
|
|
request_method: 'POST',
|
2019-12-04 20:38:33 +05:30
|
|
|
path: '/users'
|
2019-10-12 21:52:04 +05:30
|
|
|
}
|
|
|
|
end
|
|
|
|
|
|
|
|
describe 'the honeypot has not been filled and the signup form has not been submitted too quickly' do
|
|
|
|
it 'creates an account' do
|
|
|
|
travel_to(submit_time) do
|
|
|
|
expect { post(:create, params: user_params, session: session_params) }.to change(User, :count).by(1)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe 'honeypot spam detection' do
|
|
|
|
let(:user_params) { super().merge(firstname: 'Roy', lastname: 'Batty') }
|
|
|
|
let(:auth_log_message) { 'Invisible_Captcha_Honeypot_Request' }
|
|
|
|
|
|
|
|
it 'logs the request, refuses to create an account and renders an empty body' do
|
|
|
|
travel_to(submit_time) do
|
|
|
|
expect(Gitlab::Metrics).to receive(:counter)
|
|
|
|
.with(:bot_blocked_by_invisible_captcha_honeypot, 'Counter of blocked sign up attempts with filled honeypot')
|
|
|
|
.and_call_original
|
|
|
|
expect(Gitlab::AuthLogger).to receive(:error).with(auth_log_attributes).once
|
|
|
|
expect { post(:create, params: user_params, session: session_params) }.not_to change(User, :count)
|
2020-03-13 15:44:24 +05:30
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
2019-10-12 21:52:04 +05:30
|
|
|
expect(response.body).to be_empty
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe 'timestamp spam detection' do
|
|
|
|
let(:auth_log_message) { 'Invisible_Captcha_Timestamp_Request' }
|
|
|
|
|
|
|
|
context 'the sign up form has been submitted without the invisible_captcha_timestamp parameter' do
|
|
|
|
let(:session_params) { nil }
|
|
|
|
|
|
|
|
it 'logs the request, refuses to create an account and displays a flash alert' do
|
|
|
|
travel_to(submit_time) do
|
|
|
|
expect(Gitlab::Metrics).to receive(:counter)
|
|
|
|
.with(:bot_blocked_by_invisible_captcha_timestamp, 'Counter of blocked sign up attempts with invalid timestamp')
|
|
|
|
.and_call_original
|
|
|
|
expect(Gitlab::AuthLogger).to receive(:error).with(auth_log_attributes).once
|
|
|
|
expect { post(:create, params: user_params, session: session_params) }.not_to change(User, :count)
|
|
|
|
expect(response).to redirect_to(new_user_session_path)
|
2020-01-01 13:55:28 +05:30
|
|
|
expect(flash[:alert]).to eq(I18n.t('invisible_captcha.timestamp_error_message'))
|
2019-10-12 21:52:04 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'the sign up form has been submitted too quickly' do
|
|
|
|
let(:submit_time) { form_rendered_time }
|
|
|
|
|
|
|
|
it 'logs the request, refuses to create an account and displays a flash alert' do
|
|
|
|
travel_to(submit_time) do
|
|
|
|
expect(Gitlab::Metrics).to receive(:counter)
|
|
|
|
.with(:bot_blocked_by_invisible_captcha_timestamp, 'Counter of blocked sign up attempts with invalid timestamp')
|
|
|
|
.and_call_original
|
|
|
|
expect(Gitlab::AuthLogger).to receive(:error).with(auth_log_attributes).once
|
|
|
|
expect { post(:create, params: user_params, session: session_params) }.not_to change(User, :count)
|
|
|
|
expect(response).to redirect_to(new_user_session_path)
|
2020-01-01 13:55:28 +05:30
|
|
|
expect(flash[:alert]).to eq(I18n.t('invisible_captcha.timestamp_error_message'))
|
2019-10-12 21:52:04 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2021-01-03 14:25:43 +05:30
|
|
|
context 'terms of service' do
|
|
|
|
context 'when terms are enforced' do
|
2019-12-26 22:10:19 +05:30
|
|
|
before do
|
2021-01-03 14:25:43 +05:30
|
|
|
enforce_terms
|
2020-10-24 23:57:45 +05:30
|
|
|
end
|
|
|
|
|
2021-01-03 14:25:43 +05:30
|
|
|
it 'creates the user with accepted terms' do
|
|
|
|
subject
|
2020-10-24 23:57:45 +05:30
|
|
|
|
2021-01-03 14:25:43 +05:30
|
|
|
expect(controller.current_user).to be_present
|
|
|
|
expect(controller.current_user.terms_accepted?).to be(true)
|
2019-12-26 22:10:19 +05:30
|
|
|
end
|
|
|
|
end
|
2020-11-24 15:15:51 +05:30
|
|
|
|
2021-01-03 14:25:43 +05:30
|
|
|
context 'when terms are not enforced' do
|
|
|
|
it 'creates the user without accepted terms' do
|
2020-11-24 15:15:51 +05:30
|
|
|
subject
|
|
|
|
|
2021-01-03 14:25:43 +05:30
|
|
|
expect(controller.current_user).to be_present
|
|
|
|
expect(controller.current_user.terms_accepted?).to be(false)
|
2019-12-26 22:10:19 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2022-03-02 08:16:31 +05:30
|
|
|
context 'when the rate limit has been reached' do
|
|
|
|
it 'returns status 429 Too Many Requests', :aggregate_failures do
|
|
|
|
ip = '1.2.3.4'
|
|
|
|
expect(::Gitlab::ApplicationRateLimiter).to receive(:throttled?).with(:user_sign_up, scope: ip).and_return(true)
|
|
|
|
|
|
|
|
controller.request.env['REMOTE_ADDR'] = ip
|
|
|
|
post(:create, params: user_params, session: session_params)
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:too_many_requests)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2019-09-30 21:07:59 +05:30
|
|
|
it "logs a 'User Created' message" do
|
|
|
|
expect(Gitlab::AppLogger).to receive(:info).with(/\AUser Created: username=new_username email=new@user.com.+\z/).and_call_original
|
|
|
|
|
2021-01-03 14:25:43 +05:30
|
|
|
subject
|
2019-09-30 21:07:59 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
it 'handles when params are new_user' do
|
|
|
|
post(:create, params: { new_user: base_user_params })
|
|
|
|
|
2021-01-03 14:25:43 +05:30
|
|
|
expect(controller.current_user).not_to be_nil
|
2019-09-30 21:07:59 +05:30
|
|
|
end
|
2020-03-13 15:44:24 +05:30
|
|
|
|
2021-01-03 14:25:43 +05:30
|
|
|
it 'sets name from first and last name' do
|
|
|
|
post :create, params: { new_user: base_user_params }
|
2020-03-13 15:44:24 +05:30
|
|
|
|
2021-01-03 14:25:43 +05:30
|
|
|
expect(User.last.first_name).to eq(base_user_params[:first_name])
|
|
|
|
expect(User.last.last_name).to eq(base_user_params[:last_name])
|
2023-01-13 00:05:48 +05:30
|
|
|
expect(User.last.name).to eq full_name(base_user_params[:first_name], base_user_params[:last_name])
|
2020-03-13 15:44:24 +05:30
|
|
|
end
|
2021-09-04 01:27:46 +05:30
|
|
|
|
2021-12-11 22:18:48 +05:30
|
|
|
it 'sets the caller_id in the context' do
|
2021-09-04 01:27:46 +05:30
|
|
|
expect(controller).to receive(:create).and_wrap_original do |m, *args|
|
|
|
|
m.call(*args)
|
|
|
|
|
|
|
|
expect(Gitlab::ApplicationContext.current)
|
2021-12-11 22:18:48 +05:30
|
|
|
.to include('meta.caller_id' => 'RegistrationsController#create')
|
2021-09-04 01:27:46 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
subject
|
|
|
|
end
|
2022-04-04 11:22:00 +05:30
|
|
|
|
2022-10-11 01:57:18 +05:30
|
|
|
context 'when the password is weak' do
|
|
|
|
render_views
|
|
|
|
let_it_be(:new_user_params) { { new_user: base_user_params.merge({ password: "password" }) } }
|
|
|
|
|
2023-03-04 22:38:38 +05:30
|
|
|
subject(:post_create) { post(:create, params: new_user_params) }
|
2022-10-11 01:57:18 +05:30
|
|
|
|
2023-03-04 22:38:38 +05:30
|
|
|
it 'renders the form with errors' do
|
|
|
|
expect { post_create }.not_to change(User, :count)
|
2022-10-11 01:57:18 +05:30
|
|
|
|
2023-03-04 22:38:38 +05:30
|
|
|
expect(controller.current_user).to be_nil
|
|
|
|
expect(response).to render_template(:new)
|
|
|
|
expect(response.body).to include(_('Password must not contain commonly used combinations of words and letters'))
|
|
|
|
end
|
2023-01-13 00:05:48 +05:30
|
|
|
|
2023-03-04 22:38:38 +05:30
|
|
|
it 'tracks a weak password error' do
|
|
|
|
post_create
|
|
|
|
|
|
|
|
expect_snowplow_event(
|
|
|
|
category: 'Gitlab::Tracking::Helpers::WeakPasswordErrorEvent',
|
|
|
|
action: 'track_weak_password_error',
|
|
|
|
controller: 'RegistrationsController',
|
|
|
|
method: 'create'
|
|
|
|
)
|
2022-10-11 01:57:18 +05:30
|
|
|
end
|
|
|
|
|
2023-03-04 22:38:38 +05:30
|
|
|
it 'does not track failed form submission' do
|
|
|
|
post_create
|
2022-10-11 01:57:18 +05:30
|
|
|
|
2023-03-04 22:38:38 +05:30
|
|
|
expect_no_snowplow_event(
|
|
|
|
category: described_class.name,
|
|
|
|
action: 'successfully_submitted_form'
|
|
|
|
)
|
2022-10-11 01:57:18 +05:30
|
|
|
end
|
|
|
|
end
|
2023-01-13 00:05:48 +05:30
|
|
|
|
|
|
|
context 'when the password is not weak' do
|
|
|
|
it 'does not track a weak password error' do
|
2023-03-04 22:38:38 +05:30
|
|
|
post_create
|
|
|
|
|
2023-01-13 00:05:48 +05:30
|
|
|
expect_no_snowplow_event(
|
|
|
|
category: 'Gitlab::Tracking::Helpers::WeakPasswordErrorEvent',
|
|
|
|
action: 'track_weak_password_error'
|
|
|
|
)
|
|
|
|
end
|
2023-03-04 22:38:38 +05:30
|
|
|
|
|
|
|
it 'tracks successful form submission' do
|
|
|
|
post_create
|
|
|
|
|
|
|
|
expect_snowplow_event(
|
|
|
|
category: described_class.name,
|
|
|
|
action: 'successfully_submitted_form',
|
|
|
|
user: User.find_by(email: base_user_params[:email])
|
|
|
|
)
|
|
|
|
end
|
2023-01-13 00:05:48 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
context 'with preferred language' do
|
|
|
|
let(:user_preferred_language) { nil }
|
|
|
|
|
|
|
|
before do
|
|
|
|
cookies['preferred_language'] = user_preferred_language
|
|
|
|
|
|
|
|
post :create, params: { new_user: base_user_params }
|
|
|
|
end
|
|
|
|
|
|
|
|
subject { User.last.preferred_language }
|
|
|
|
|
|
|
|
context 'with default behavior' do
|
|
|
|
it 'sets preferred language to default' do
|
|
|
|
is_expected.to eq(Gitlab::CurrentSettings.default_preferred_language)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when user sets preferred language' do
|
|
|
|
let(:user_preferred_language) { 'zh_CN' }
|
|
|
|
|
|
|
|
it 'sets name from first and last name' do
|
|
|
|
is_expected.to eq(user_preferred_language)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2023-03-04 22:38:38 +05:30
|
|
|
|
|
|
|
context 'when the first or last name is not "present?"' do
|
|
|
|
using RSpec::Parameterized::TableSyntax
|
|
|
|
|
|
|
|
render_views
|
|
|
|
|
|
|
|
shared_examples 'a user without present first name or last name' do
|
|
|
|
it 'renders the form with errors' do
|
|
|
|
subject
|
|
|
|
expect(controller.current_user).to be_nil
|
|
|
|
expect(response).to render_template(:new)
|
|
|
|
expect(response.body).to include(_('name cannot be blank')) # include 'First name' or 'Last name' or both
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
where(:first_name, :last_name) do
|
|
|
|
nil | 'last'
|
|
|
|
'' | 'last'
|
|
|
|
' ' | 'last'
|
|
|
|
'first' | nil
|
|
|
|
'first' | ''
|
|
|
|
'first' | ' '
|
|
|
|
'' | ''
|
|
|
|
end
|
|
|
|
|
|
|
|
with_them do
|
|
|
|
before do
|
|
|
|
base_user_params.merge!({ first_name: first_name, last_name: last_name })
|
|
|
|
end
|
|
|
|
|
|
|
|
it_behaves_like 'a user without present first name or last name'
|
|
|
|
end
|
|
|
|
end
|
2016-06-02 11:05:42 +05:30
|
|
|
end
|
2017-08-17 22:00:37 +05:30
|
|
|
|
|
|
|
describe '#destroy' do
|
|
|
|
let(:user) { create(:user) }
|
|
|
|
|
|
|
|
before do
|
|
|
|
sign_in(user)
|
|
|
|
end
|
|
|
|
|
2018-03-17 18:26:18 +05:30
|
|
|
def expect_failure(message)
|
|
|
|
expect(flash[:alert]).to eq(message)
|
2020-04-22 19:07:51 +05:30
|
|
|
expect(response).to have_gitlab_http_status(:see_other)
|
2018-03-17 18:26:18 +05:30
|
|
|
expect(response).to redirect_to profile_account_path
|
|
|
|
end
|
|
|
|
|
|
|
|
def expect_password_failure
|
2020-01-01 13:55:28 +05:30
|
|
|
expect_failure(s_('Profiles|Invalid password'))
|
2018-03-17 18:26:18 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
def expect_username_failure
|
2020-01-01 13:55:28 +05:30
|
|
|
expect_failure(s_('Profiles|Invalid username'))
|
2018-03-17 18:26:18 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
def expect_success
|
2020-01-01 13:55:28 +05:30
|
|
|
expect(flash[:notice]).to eq s_('Profiles|Account scheduled for removal.')
|
2020-04-22 19:07:51 +05:30
|
|
|
expect(response).to have_gitlab_http_status(:see_other)
|
2018-03-17 18:26:18 +05:30
|
|
|
expect(response).to redirect_to new_user_session_path
|
|
|
|
end
|
2017-08-17 22:00:37 +05:30
|
|
|
|
2018-03-17 18:26:18 +05:30
|
|
|
context 'user requires password confirmation' do
|
|
|
|
it 'fails if password confirmation is not provided' do
|
|
|
|
post :destroy
|
2017-08-17 22:00:37 +05:30
|
|
|
|
2018-03-17 18:26:18 +05:30
|
|
|
expect_password_failure
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'fails if password confirmation is wrong' do
|
2019-02-15 15:39:39 +05:30
|
|
|
post :destroy, params: { password: 'wrong password' }
|
2018-03-17 18:26:18 +05:30
|
|
|
|
|
|
|
expect_password_failure
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'succeeds if password is confirmed' do
|
2022-08-27 11:52:29 +05:30
|
|
|
post :destroy, params: { password: user.password }
|
2018-03-17 18:26:18 +05:30
|
|
|
|
|
|
|
expect_success
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'user does not require password confirmation' do
|
|
|
|
before do
|
|
|
|
stub_application_setting(password_authentication_enabled_for_web: false)
|
|
|
|
stub_application_setting(password_authentication_enabled_for_git: false)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'fails if username confirmation is not provided' do
|
|
|
|
post :destroy
|
|
|
|
|
|
|
|
expect_username_failure
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'fails if username confirmation is wrong' do
|
2019-02-15 15:39:39 +05:30
|
|
|
post :destroy, params: { username: 'wrong username' }
|
2018-03-17 18:26:18 +05:30
|
|
|
|
|
|
|
expect_username_failure
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'succeeds if username is confirmed' do
|
2019-02-15 15:39:39 +05:30
|
|
|
post :destroy, params: { username: user.username }
|
2018-03-17 18:26:18 +05:30
|
|
|
|
|
|
|
expect_success
|
|
|
|
end
|
2017-08-17 22:00:37 +05:30
|
|
|
end
|
2020-10-04 03:57:07 +05:30
|
|
|
|
|
|
|
context 'prerequisites for account deletion' do
|
|
|
|
context 'solo-owned groups' do
|
|
|
|
let(:group) { create(:group) }
|
|
|
|
|
|
|
|
context 'if the user is the sole owner of at least one group' do
|
|
|
|
before do
|
|
|
|
create(:group_member, :owner, group: group, user: user)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'fails' do
|
2022-08-27 11:52:29 +05:30
|
|
|
delete :destroy, params: { password: user.password }
|
2020-10-04 03:57:07 +05:30
|
|
|
|
|
|
|
expect_failure(s_('Profiles|You must transfer ownership or delete groups you are an owner of before you can delete your account'))
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2021-09-04 01:27:46 +05:30
|
|
|
|
2021-11-18 22:05:49 +05:30
|
|
|
context 'when user did not accept app terms' do
|
|
|
|
let(:user) { create(:user, accepted_term: nil) }
|
|
|
|
|
|
|
|
before do
|
|
|
|
stub_application_setting(password_authentication_enabled_for_web: false)
|
|
|
|
stub_application_setting(password_authentication_enabled_for_git: false)
|
|
|
|
stub_application_setting(enforce_terms: true)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'fails with message' do
|
|
|
|
post :destroy, params: { username: user.username }
|
|
|
|
|
|
|
|
expect_failure(s_('Profiles|You must accept the Terms of Service in order to perform this action.'))
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2021-09-04 01:27:46 +05:30
|
|
|
it 'sets the username and caller_id in the context' do
|
|
|
|
expect(controller).to receive(:destroy).and_wrap_original do |m, *args|
|
|
|
|
m.call(*args)
|
|
|
|
|
|
|
|
expect(Gitlab::ApplicationContext.current)
|
|
|
|
.to include('meta.user' => user.username,
|
|
|
|
'meta.caller_id' => 'RegistrationsController#destroy')
|
|
|
|
end
|
|
|
|
|
|
|
|
post :destroy
|
|
|
|
end
|
2017-08-17 22:00:37 +05:30
|
|
|
end
|
2016-06-02 11:05:42 +05:30
|
|
|
end
|