Skip to content

Commit

Permalink
Do not accept expired invitation on password reset
Browse files Browse the repository at this point in the history
  • Loading branch information
ahukkanen authored and scambra committed Oct 11, 2023
1 parent 41f5897 commit 8a08437
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 2 deletions.
4 changes: 2 additions & 2 deletions lib/devise_invitable/models.rb
Original file line number Diff line number Diff line change
Expand Up @@ -195,7 +195,7 @@ def unauthenticated_message
def clear_reset_password_token
reset_password_token_present = reset_password_token.present?
super
accept_invitation! if reset_password_token_present && invited_to_sign_up?
accept_invitation! if reset_password_token_present && valid_invitation?
end

def clear_errors_on_valid_keys
Expand Down Expand Up @@ -231,7 +231,7 @@ def invitation_due_at
def add_taken_error(key)
errors.add(key, :taken)
end

def invitation_taken?
!invited_to_sign_up?
end
Expand Down
17 changes: 17 additions & 0 deletions test/models/invitable_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -279,6 +279,23 @@ def setup
refute_predicate user, :invited_to_sign_up?
end

test 'should not accept expired invitation while resetting the password' do
User.stubs(:invite_for).returns(1.day)
user = User.invite!(email: 'valid@email.com')
assert user.invited_to_sign_up?
user.invitation_created_at = Time.now.utc - 2.days
token, user.reset_password_token = Devise.token_generator.generate(User, :reset_password_token)
user.reset_password_sent_at = Time.now.utc
user.save

assert user.reset_password_token.present?
assert user.invitation_token.present?
User.reset_password_by_token(reset_password_token: token, password: '123456789', password_confirmation: '123456789')
assert_nil user.reload.reset_password_token
assert user.reload.invitation_token.present?
assert user.reload.invited_to_sign_up?
end

test 'should not accept invitation on failing to reset the password' do
user = User.invite!(email: 'valid@email.com')
assert user.invited_to_sign_up?
Expand Down

0 comments on commit 8a08437

Please sign in to comment.