blob: b8a4b94aa66badd587d26d709db3175edd70f3cf (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe ConfirmEmailWarning, feature_category: :system_access do
before do
stub_feature_flags(soft_email_confirmation: true)
end
controller(ApplicationController) do
# `described_class` is not available in this context
include ConfirmEmailWarning
def index
head :ok
end
end
RSpec::Matchers.define :set_confirm_warning_for do |email|
match do |response|
expect(controller).to set_flash.now[:warning].to include("Please check your email (#{email}) to verify that you own this address and unlock the power of CI/CD.")
end
end
describe 'confirm email flash warning' do
context 'when not signed in' do
let(:user) { create(:user, confirmed_at: nil) }
before do
get :index
end
it { is_expected.not_to set_confirm_warning_for(user.email) }
end
context 'when signed in' do
before do
sign_in(user)
end
context 'with a confirmed user' do
let(:user) { create(:user) }
before do
get :index
end
it { is_expected.not_to set_confirm_warning_for(user.email) }
end
context 'with an unconfirmed user' do
let(:user) { create(:user, confirmed_at: nil) }
context 'when executing a json request' do
before do
get :index, format: :json
end
it { is_expected.not_to set_confirm_warning_for(user.email) }
end
context 'when executing a post request' do
before do
post :index
end
it { is_expected.not_to set_confirm_warning_for(user.email) }
end
context 'when executing a get request' do
before do
get :index
end
context 'with an unconfirmed email address present' do
let(:user) { create(:user, confirmed_at: nil, unconfirmed_email: 'unconfirmed@gitlab.com') }
it { is_expected.to set_confirm_warning_for(user.unconfirmed_email) }
end
context 'without an unconfirmed email address present' do
it { is_expected.to set_confirm_warning_for(user.email) }
end
end
context 'when user is being impersonated' do
let(:impersonator) { create(:admin) }
before do
allow(controller).to receive(:session).and_return({ impersonator_id: impersonator.id })
get :index
end
it { is_expected.to set_confirm_warning_for(user.email) }
context 'when impersonated user email has html in their email' do
let(:user) { create(:user, confirmed_at: nil, unconfirmed_email: "malicious@test.com<form><input/title='<script>alert(document.domain)</script>'>") }
it { is_expected.to set_confirm_warning_for("malicious@test.com<form><input/title='<script>alert(document.domain)</script>'>") }
end
end
context 'when user is not being impersonated' do
before do
get :index
end
it { is_expected.to set_confirm_warning_for(user.email) }
context 'when user email has html in their email' do
let(:user) { create(:user, confirmed_at: nil, unconfirmed_email: "malicious@test.com<form><input/title='<script>alert(document.domain)</script>'>") }
it { is_expected.to set_confirm_warning_for("malicious@test.com<form><input/title='<script>alert(document.domain)</script>'>") }
end
end
end
end
end
end
|