Skip to content

Commit

Permalink
Fix: Broken password reset after merging (ontologies_linked_data PR#1…
Browse files Browse the repository at this point in the history
…59) + Add User sensitive data unit test (#98)

* add a unit test for user sensitive data

* explicitly load sensitive data in password reset

* update Gemfile.lock

---------

Co-authored-by: Syphax <[email protected]>
  • Loading branch information
muhammedBkf and syphax-bouazzouni authored Oct 21, 2024
1 parent e0cfbd9 commit 4b62667
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 1 deletion.
4 changes: 3 additions & 1 deletion helpers/users_helper.rb
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,9 @@ def reset_password(email, username, token)
user = LinkedData::Models::User.where(email: email, username: username).include(User.goo_attrs_to_load(includes_param)).first

error 404, "User not found" unless user


user.bring(:resetToken)
user.bring(:passwordHash)
user.show_apikey = true

[user, token.eql?(user.resetToken)]
Expand Down
12 changes: 12 additions & 0 deletions test/controllers/test_users_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,18 @@ def test_oauth_authentication
end
end

def test_hide_sensitive_data
user = @@users[0]
reset_token = "reset_password_token"
user.resetToken = reset_token
user.save
username = user.username
get "/users/#{username}?display=resetToken,passwordHash"
assert last_response.ok?
refute_includes MultiJson.load(last_response.body), 'resetToken', "resetToken should NOT be included in the response"
refute_includes MultiJson.load(last_response.body), 'passwordHash', "passwordHash should NOT be included in the response"
end

private
def _create_admin_user(apikey: nil)
user = {email: "#{@@username}@example.org", password: "pass_the_word", role: ['ADMINISTRATOR']}
Expand Down

0 comments on commit 4b62667

Please sign in to comment.