Compare commits

...

2 Commits

Author SHA1 Message Date
Trevor Vallender 72f2894b06 Ensure users can’t be spammed with password resets 2024-06-05 14:34:22 +01:00
Trevor Vallender 651813066e Allow deletion of avatars 2024-06-05 13:28:51 +01:00
14 changed files with 89 additions and 5 deletions

View File

@ -32,7 +32,7 @@ class UsersController < ApplicationController
end
def update
if @user.update(existing_user_params)
if existing_user_params.present? && @user.update(existing_user_params)
redirect_to @user, notice: t(".success")
else
flash.now[:alert] = t(".error")
@ -59,6 +59,7 @@ class UsersController < ApplicationController
:last_name,
:profile,
:avatar,
:delete_avatar,
)
end

View File

@ -20,6 +20,9 @@ class UserMailer < ApplicationMailer
@user = params[:user]
@token = params[:token]
return if @user.password_reset_last_sent_at&.after?(10.minutes.ago)
@user.update(password_reset_last_sent_at: Time.zone.now)
mail(to: @user.email, subject: t(".password_reset.subject"))
end
end

View File

@ -0,0 +1,25 @@
# frozen_string_literal: true
module DeletableAttachments
extend ActiveSupport::Concern
included do
before_save :delete_attachments
def delete_attachments
attachment_reflections.each do |reflection, _|
if send("delete_#{reflection}")
send(reflection).purge
end
end
end
end
class_methods do
def deletable_attachments(*attachments)
attachments.each do |attachment|
attribute "delete_#{attachment}", :boolean, default: false
end
end
end
end

View File

@ -1,6 +1,9 @@
# frozen_string_literal: true
class User < ApplicationRecord
include DeletableAttachments
deletable_attachments :avatar
has_and_belongs_to_many :site_roles
has_many :owned_tables, foreign_key: :owner_id, class_name: "Table"
has_many :players, dependent: :destroy

View File

@ -35,6 +35,9 @@
<hr>
<% if user.persisted? %>
<%= f.label :delete_avatar %>
<%= f.check_box :delete_avatar %>
<%= f.label :avatar %>
<%= f.file_field :avatar %>
<%= display_form_errors(user, :avatar) %>

View File

@ -0,0 +1,7 @@
# frozen_string_literal: true
class AddPasswordResetLastSentAtToUser < ActiveRecord::Migration[7.1]
def change
add_column :users, :password_reset_last_sent_at, :datetime
end
end

3
db/schema.rb generated
View File

@ -10,7 +10,7 @@
#
# It's strongly recommended that you check this file into your version control system.
ActiveRecord::Schema[7.1].define(version: 2024_05_30_073852) do
ActiveRecord::Schema[7.1].define(version: 2024_06_05_132327) do
# These are extensions that must be enabled in order to support this database
enable_extension "plpgsql"
@ -221,6 +221,7 @@ ActiveRecord::Schema[7.1].define(version: 2024_05_30_073852) do
t.datetime "created_at", null: false
t.datetime "updated_at", null: false
t.boolean "verified", default: false, null: false
t.datetime "password_reset_last_sent_at"
t.index ["email"], name: "index_users_on_email", unique: true
t.index ["username"], name: "index_users_on_username", unique: true
t.index ["verified"], name: "index_users_on_verified"

View File

@ -52,6 +52,15 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
assert_redirected_to user_path(users(:trevor))
end
test "can delete avatar" do
user = users(:trevor)
assert user.avatar.attached?
sign_in users(:trevor)
patch(user_url(user), params: { user: { delete_avatar: "1" } })
assert_not user.reload.avatar.attached?
end
private
def user_params

View File

@ -0,0 +1,4 @@
trevor_avatar:
name: avatar
record: trevor (User)
blob: trevor_avatar_blob

View File

@ -0,0 +1 @@
trevor_avatar_blob: <%= ActiveStorage::FixtureSet.blob(filename: "trevor.png", service_name: "test") %>

BIN
test/fixtures/files/trevor.png vendored Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 329 KiB

View File

@ -0,0 +1,17 @@
# frozen_string_literal: true
class UserMailerTest < ActionMailer::TestCase
test "password resets cant be resent within 10 minutes" do
user = users(:trevor)
assert_emails(+1) do
UserMailer.with(user: user, token: user.generate_token_for(:password_reset)).password_reset.deliver_now
end
assert_emails(0) do
UserMailer.with(user: user, token: user.generate_token_for(:password_reset)).password_reset.deliver_now
end
travel 11.minutes
assert_emails(+1) do
UserMailer.with(user: user, token: user.generate_token_for(:password_reset)).password_reset.deliver_now
end
end
end

View File

@ -55,4 +55,15 @@ class UserTest < ActiveSupport::TestCase
user.update(password: "new_password")
assert_nil User.find_by_token_for(:password_reset, token)
end
test "avatar is automatically deleted when flag set" do
user = users(:trevor)
assert user.avatar.attached?
user.first_name = "Newname"
user.save
assert user.avatar.attached?
user.delete_avatar = true
user.save
assert_not user.avatar.attached?
end
end

View File

@ -1,5 +1,4 @@
- avatars
- delete avatar
- ensure password reset emails can't send too often
- default avatars
- shared/private notes
- Add characters to users/tables