From 57a4fedd346a50d36760d689a4bcaa8e17f71d3c Mon Sep 17 00:00:00 2001
From: Go MAEDA <maeda@farend.jp>
Date: Sun, 28 Oct 2018 05:59:11 +0000
Subject: Handles the case when an expired token is in the users session
 (#29781).
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Patch by Jens Krämer.


git-svn-id: http://svn.redmine.org/redmine/trunk@17601 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 test/integration/account_test.rb | 55 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)

(limited to 'test/integration/account_test.rb')

diff --git a/test/integration/account_test.rb b/test/integration/account_test.rb
index a3a1ecb2e..4f0a45156 100644
--- a/test/integration/account_test.rb
+++ b/test/integration/account_test.rb
@@ -146,6 +146,61 @@ class AccountTest < Redmine::IntegrationTest
     assert_equal false, Token.exists?(token.id), "Password recovery token was not deleted"
   end
 
+  def test_lost_password_expired_token
+    Token.delete_all
+
+    get "/account/lost_password"
+    assert_response :success
+    assert_select 'input[name=mail]'
+
+    post "/account/lost_password", :params => {
+        :mail => 'jSmith@somenet.foo'
+      }
+    assert_redirected_to "/login"
+
+    token = Token.first
+    assert_equal 'recovery', token.action
+    assert_equal 'jsmith@somenet.foo', token.user.mail
+    refute token.expired?
+
+    get "/account/lost_password", :params => {
+        :token => token.value
+      }
+    assert_redirected_to '/account/lost_password'
+
+    follow_redirect!
+    assert_response :success
+
+    # suppose the user forgets to continue the process and the token expires.
+    token.update_column :created_on, 1.week.ago
+    assert token.expired?
+
+    assert_select 'input[type=hidden][name=token][value=?]', token.value
+    assert_select 'input[name=new_password]'
+    assert_select 'input[name=new_password_confirmation]'
+
+    post "/account/lost_password", :params => {
+        :token => token.value, :new_password => 'newpass123',
+        :new_password_confirmation => 'newpass123'
+      }
+
+    assert_redirected_to "/account/lost_password"
+    assert_equal 'This password recovery link has expired, please try again.', flash[:error]
+    follow_redirect!
+    assert_response :success
+
+    post "/account/lost_password", :params => {
+        :mail => 'jSmith@somenet.foo'
+      }
+    assert_redirected_to "/login"
+
+    # should have a new token now
+    token = Token.last
+    assert_equal 'recovery', token.action
+    assert_equal 'jsmith@somenet.foo', token.user.mail
+    refute token.expired?
+  end
+
   def test_user_with_must_change_passwd_should_be_forced_to_change_its_password
     User.find_by_login('jsmith').update_attribute :must_change_passwd, true
 
-- 
cgit v1.2.3