Fixed issue with account activation allowing it to be circumvented (#…

…2324)
bigbluebutton · Dec 1, 2020 · 95b86b1 · 95b86b1
1 parent 81907d0
commit 95b86b1
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 13 deletions.
diff --git a/app/controllers/account_activations_controller.rb b/app/controllers/account_activations_controller.rb
@@ -20,7 +20,8 @@ class AccountActivationsController < ApplicationController
   include Emailer
 
   before_action :ensure_unauthenticated
-  before_action :find_user
+  before_action :find_user_by_token, only: :edit
+  before_action :find_user_by_digest, only: :resend
 
   # GET /account_activations
   def show
@@ -59,19 +60,17 @@ def resend
 
   private
 
-  def find_user
-    digest = if params[:token].present?
-      User.hash_token(params[:token])
-    elsif params[:digest].present?
-      params[:digest]
-    else
-      raise "Missing token/digest params"
-    end
+  def find_user_by_token
+    return redirect_to root_path, flash: { alert: I18n.t("verify.invalid") } unless params[:token].present?
+
+    @user = User.find_by!(activation_digest: User.hash_token(params[:token]), provider: @user_domain)
+  end
 
-    @user = User.find_by!(activation_digest: digest, provider: @user_domain)
+  def find_user_by_digest
+    @user = User.find_by!(activation_digest: params[:digest], provider: @user_domain)
   end
 
   def ensure_unauthenticated
-    redirect_to current_user.main_room if current_user
+    redirect_to current_user.main_room || root_path if current_user
   end
 end
diff --git a/spec/controllers/account_activations_controller_spec.rb b/spec/controllers/account_activations_controller_spec.rb
@@ -85,7 +85,7 @@
     it "resends the email to the current user if the resend button is clicked" do
       user = create(:user, email_verified: false, provider: "greenlight")
 
-      expect { get :resend, params: { token: user.create_activation_token } }
+      expect { get :resend, params: { digest: User.hash_token(user.create_activation_token) } }
         .to change { ActionMailer::Base.deliveries.count }.by(1)
       expect(flash[:success]).to be_present
       expect(response).to redirect_to(root_path)
@@ -94,7 +94,7 @@
     it "redirects a verified user to the root path" do
       user = create(:user, provider: "greenlight")
 
-      get :resend, params: { token: user.create_activation_token }
+      get :resend, params: { digest: User.hash_token(user.create_activation_token) }
 
       expect(flash[:alert]).to be_present
       expect(response).to redirect_to(root_path)