summaryrefslogtreecommitdiffstats
path: root/test/integration
diff options
context:
space:
mode:
authorGo MAEDA <maeda@farend.jp>2018-10-28 05:59:11 +0000
committerGo MAEDA <maeda@farend.jp>2018-10-28 05:59:11 +0000
commit57a4fedd346a50d36760d689a4bcaa8e17f71d3c (patch)
tree895f907a0a12f01caeb21eba377ebfbbad974060 /test/integration
parent9a53b68b73a7d39d45f74c17c1e3ddc6ff51bc87 (diff)
downloadredmine-57a4fedd346a50d36760d689a4bcaa8e17f71d3c.tar.gz
redmine-57a4fedd346a50d36760d689a4bcaa8e17f71d3c.zip
Handles the case when an expired token is in the users session (#29781).
Patch by Jens Krämer. git-svn-id: http://svn.redmine.org/redmine/trunk@17601 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'test/integration')
-rw-r--r--test/integration/account_test.rb55
1 files changed, 55 insertions, 0 deletions
diff --git a/test/integration/account_test.rb b/test/integration/account_test.rb
index a3a1ecb2e..4f0a45156 100644
--- a/test/integration/account_test.rb
+++ b/test/integration/account_test.rb
@@ -146,6 +146,61 @@ class AccountTest < Redmine::IntegrationTest
assert_equal false, Token.exists?(token.id), "Password recovery token was not deleted"
end
+ def test_lost_password_expired_token
+ Token.delete_all
+
+ get "/account/lost_password"
+ assert_response :success
+ assert_select 'input[name=mail]'
+
+ post "/account/lost_password", :params => {
+ :mail => 'jSmith@somenet.foo'
+ }
+ assert_redirected_to "/login"
+
+ token = Token.first
+ assert_equal 'recovery', token.action
+ assert_equal 'jsmith@somenet.foo', token.user.mail
+ refute token.expired?
+
+ get "/account/lost_password", :params => {
+ :token => token.value
+ }
+ assert_redirected_to '/account/lost_password'
+
+ follow_redirect!
+ assert_response :success
+
+ # suppose the user forgets to continue the process and the token expires.
+ token.update_column :created_on, 1.week.ago
+ assert token.expired?
+
+ assert_select 'input[type=hidden][name=token][value=?]', token.value
+ assert_select 'input[name=new_password]'
+ assert_select 'input[name=new_password_confirmation]'
+
+ post "/account/lost_password", :params => {
+ :token => token.value, :new_password => 'newpass123',
+ :new_password_confirmation => 'newpass123'
+ }
+
+ assert_redirected_to "/account/lost_password"
+ assert_equal 'This password recovery link has expired, please try again.', flash[:error]
+ follow_redirect!
+ assert_response :success
+
+ post "/account/lost_password", :params => {
+ :mail => 'jSmith@somenet.foo'
+ }
+ assert_redirected_to "/login"
+
+ # should have a new token now
+ token = Token.last
+ assert_equal 'recovery', token.action
+ assert_equal 'jsmith@somenet.foo', token.user.mail
+ refute token.expired?
+ end
+
def test_user_with_must_change_passwd_should_be_forced_to_change_its_password
User.find_by_login('jsmith').update_attribute :must_change_passwd, true