jh - reworking paranoid mode in passwords controller

Signed-off-by: José Valim <jose.valim@gmail.com>
2022-11-09 12:18:31 -05:00 · 2011-10-12 14:12:20 -07:00 · 2011-10-12 14:12:20 -07:00 · b98720d324
commit b98720d324
parent fa1034b04c
3 changed files with 26 additions and 4 deletions
--- a/app/controllers/devise/passwords_controller.rb
+++ b/app/controllers/devise/passwords_controller.rb
@ -12,8 +12,7 @@ class Devise::PasswordsController < ApplicationController
  def create
    self.resource = resource_class.send_reset_password_instructions(params[resource_name])

-    if successful_and_sane?(resource)
-      set_flash_message(:notice, :send_instructions) if is_navigational_format?
+    if successfully_sent?(resource)
      respond_with({}, :location => after_sending_reset_password_instructions_path_for(resource_name))
    else
      respond_with_navigational(resource){ render_with_scope :new }
--- a/lib/devise/controllers/internal_helpers.rb
+++ b/lib/devise/controllers/internal_helpers.rb
@ -112,6 +112,20 @@ MESSAGE
          resource.errors.empty?
        end
      end
+      
+      # Helper for use after calling send_*_instructions methods on a resource. If we are in paranoid mode, we always
+      # act as if the resource was valid and instructions were sent.
+      def successfully_sent?(resource)
+        notice = if Devise.paranoid
+          :send_paranoid_instructions
+        elsif  resource.errors.empty?
+          :send_instructions
+        end
+        
+        notice.present?.tap do |success| 
+          set_flash_message :notice, notice if success && is_navigational_format?
+        end
+      end

      # Sets the flash message with :key, using I18n. By default you are able
      # to setup your messages using specific resource scope, and if no one is
--- a/test/integration/recoverable_test.rb
+++ b/test/integration/recoverable_test.rb
@ -208,6 +208,15 @@ class PasswordTest < ActionController::IntegrationTest
    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
  end

+  test 'reset password request with invalid E-Mail in XML format should return empty and valid response' do
+    swap Devise, :paranoid => true do
+      create_user
+      post user_password_path(:format => 'xml'), :user => {:email => "invalid@test.com"}
+      assert_response :success
+      assert_equal response.body, { }.to_xml
+    end
+  end
+
  test 'change password with valid parameters in XML format should return valid response' do
    user = create_user
    request_forgot_password
@ -250,7 +259,7 @@ class PasswordTest < ActionController::IntegrationTest
      assert_not_contain "1 error prohibited this user from being saved:"
      assert_not_contain "Email not found"
      assert_contain "If your e-mail exists on our database, you will receive a password recovery link on your e-mail"
-      assert_current_url "/users/password"
+      assert_current_url "/users/sign_in"
    end
  end

@ -262,7 +271,7 @@ class PasswordTest < ActionController::IntegrationTest
      click_button 'Send me reset password instructions'

      assert_contain "If your e-mail exists on our database, you will receive a password recovery link on your e-mail"
-      assert_current_url "/users/password"
+      assert_current_url "/users/sign_in"
    end
  end
 end