diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index 040e57cf4..0267e57d4 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -116,6 +116,11 @@ # Default: false config.validate_on_invite = true + # Auto-login after the user accepts the invite. If this is false, + # the user will need to manually log in after accepting the invite. + # Default: true + config.allow_insecure_sign_in_after_accept = false + # ==> Configuration for :confirmable # A period that the user is allowed to access the website even without # confirming their account. For instance, if set to 2.days, the user will be diff --git a/test/integration/email_change_test.rb b/test/integration/email_change_test.rb index 5468341f1..2fcb570ca 100644 --- a/test/integration/email_change_test.rb +++ b/test/integration/email_change_test.rb @@ -1,8 +1,6 @@ require "test_helper" -require "support/user_account_helpers" class EmailChangeTest < ActionDispatch::IntegrationTest - include UserAccountHelpers include ActiveJob::TestHelper context "by an admin" do diff --git a/test/integration/inviting_users_test.rb b/test/integration/inviting_users_test.rb index 7514278a9..dd1726dc3 100644 --- a/test/integration/inviting_users_test.rb +++ b/test/integration/inviting_users_test.rb @@ -1,10 +1,9 @@ require "test_helper" class InvitingUsersTest < ActionDispatch::IntegrationTest - include EmailHelpers include ActiveJob::TestHelper - should "send the user an invitation token" do + should "ask the invited user to set a password" do user = User.invite!(name: "Jim", email: "jim@web.com") visit accept_user_invitation_path(invitation_token: user.raw_invitation_token) @@ -12,7 +11,24 @@ class InvitingUsersTest < ActionDispatch::IntegrationTest fill_in "Confirm new password", with: "this 1s 4 v3333ry s3cur3 p4ssw0rd.!Z" click_button "Save password" - assert_response_contains("You are now signed in") + assert_response_contains("Your password was set successfully.") + end + + should "require the invited user to sign in after setting their password" do + user = User.invite!(name: "Neptuno Keighley", email: "neptuno.keighley@office.gov.uk") + + accept_invitation( + invitation_token: user.raw_invitation_token, + password: "pretext annoying headpiece waviness header slinky", + ) + + assert_response_contains("Sign in to GOV.UK") + + fill_in "Email", with: "neptuno.keighley@office.gov.uk" + fill_in "Password", with: "pretext annoying headpiece waviness header slinky" + click_button "Sign in" + + assert_response_contains("Make your account more secure by setting up 2‑step verification.") end should "not send invitation token to Google Analytics" do diff --git a/test/test_helper.rb b/test/test_helper.rb index acd6e79da..b8232d792 100644 --- a/test/test_helper.rb +++ b/test/test_helper.rb @@ -73,6 +73,7 @@ def sign_out(_user) require "support/managing_two_sv_helpers" require "support/analytics_helpers" require "support/html_table_helpers" +require "support/user_account_helpers" class ActiveRecord::Base mattr_accessor :shared_connection @@ -94,6 +95,7 @@ class ActionDispatch::IntegrationTest include EmailHelpers include ConfirmationTokenHelpers include AnalyticsHelpers + include UserAccountHelpers def assert_response_contains(content) assert page.has_content?(content), "Expected to find '#{content}' in:\n#{page.text}"